spn 3 tier webservices nav2009R2

soetie

Hi all,

where having a problem with setting up 3 tier against sql 2012.

We are running nav2009r2 classic, and no service tier.

We have configured everything but when we login we are getting the message:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.

when im running this command in sql:
@spid _>
im getting back NLTM and no kerberos

Spn's we have setup

Z:\>setspn -l domain\sa-webservice
Geregistreerde ServicePrincipalNames voor CN=sa-webservice,OU=Service,OU=Account
s,OU=,DC=domain,DC=local:
HTTP/APP-01
HTTP/APP-01.domain.local
DAW/APP-01:7046

Z:\>setspn -l domain\sa-sql
Geregistreerde ServicePrincipalNames voor CN=sa-sql,OU=Service,OU=Accounts,OU=BK
F,DC=domain,DC=local:
MSSQLSvc/SQL-01.domain.local:1433
MSSQLSvc/SQL-01.domain.local
MSSQLSvc/SQL-01
MSSQLSvc/SQL-01:1433

Z:\>setspn -l domain\APP-01
Geregistreerde ServicePrincipalNames voor CN=APP-01,OU=Servers,OU=,DC
=domain,DC=local:
DAW/APP-01:7047 (Dynamics aynwhere)
DAW/APP-01.domain.local:7047
HTTP/APP-01.domain.local:7047
HTTP/APP-01:7047
MSSQLSvc/APP-01.domain.local
MSSQLSvc/APP-01.domain.local:1433
WSMAN/APP-01.domain.local
WSMAN/APP-01
TERMSRV/APP-01
TERMSRV/APP-01.domain.local
RestrictedKrbHost/APP-01
HOST/APP-01
RestrictedKrbHost/APP-01.domain.local
HOST/APP-01.domain.local

Z:\>setspn -l domain\SQL-01
Geregistreerde ServicePrincipalNames voor CN=SQL-01,OU=Servers,OU=,DC
=domain,DC=local:
WSMAN/SQL-01
WSMAN/SQL-01.domain.local
TERMSRV/SQL-01
TERMSRV/SQL-01.domain.local
RestrictedKrbHost/SQL-01
HOST/SQL-01
RestrictedKrbHost/SQL-01.domain.local
HOST/QL-01.domain.local

servers are allowing in domain all services, kerberos only
also the service accounts, are confidentials setting is enabled and the settings allow to all services, kerberos only

what is going wrong here?

SandeepPoonia

Did you configure SPN for Application & Database for same account or diffrent account?

soetie

Thanks for reply

Sa-sql is database service account.
Sa-web service is for webservice

The spn's are set as Descriped in first Post
do i miss some Spn

(App 01 is webservice server sql 01 sql server)

SandeepPoonia

Please use the below link Installing the Three Tiers on Three Computers.

https://msdn.microsoft.com/en-us/library/dd301254.aspx

It will clear the concept of Three Tier.

soetie

already followed the instruction but still no luck.

already have some spn:
On the Delegation tab, click Trust this user for delegation to specified services only, and then click Use Kerberos only. also set

'but still the error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.

SandeepPoonia

You need to add the service to which this account can be present delegated credentials for Nav Server account.

soetie

Please specify,

You need to add the service to which this account can be present delegated credentials for Nav Server account.

This account, which account do you mean? and which service do you mean? sql service, or nav web service?
Could you please describe what to do?

otherwise i dont get it/

thanks

SandeepPoonia

Yes. this is part of delegation. When you open property of Application server account, on delegation tab you have to add SQL service with Port Number as you have already created for Database server.

soetie

to bad, setting was already set, and still same error

ErictP

I think the delegation is missing on the service-account.

Try this one:

setspn -A instancename/Servername.Domain.local:port Domain\serviceaccount

In your case:
setspn -A DAW/APP-01.domain.local:7046 domain\sa-webservice

soetie

hi

so from active directory i have removed all spn's which where added,
ran: klist purge, and rebooted everything.

my 2 servers and service account are set to delegate to al services kerberos only, and the accounts are set to accounts are trusted.

`this is what i have right now:
C:\Windows\system32>setspn -l domain\-SQL-01 SQL SERVER
Geregistreerde ServicePrincipalNames voor CN=-SQL-01,OU=Servers,OU=BKF,DC
=domain,DC=local:
WSMAN/-SQL-01
WSMAN/-SQL-01.domain.local
TERMSRV/-SQL-01
TERMSRV/-SQL-01.domain.local
RestrictedKrbHost/-SQL-01
HOST/-SQL-01
RestrictedKrbHost/-SQL-01.domain.local
HOST/-SQL-01.domain.local

C:\Windows\system32>setspn -l [b]domain\-APP-01 NAV SERVER[/b]
Geregistreerde ServicePrincipalNames voor CN=-APP-01,OU=Servers,OU=BKF,DC
=domain,DC=local:
WSMAN/-APP-01.domain.local
WSMAN/-APP-01
TERMSRV/-APP-01
TERMSRV/-APP-01.domain.local
HOST/-APP-01
HOST/-APP-01.domain.local

C:\Windows\system32>setspn -l domain\sa-sql SA SERVICE ACCOUNT
Geregistreerde ServicePrincipalNames voor CN=sa-sql,OU=Service,OU=Accounts,OU=BK
F,DC=domain,DC=local:
MSSQLSvc/-SQL-01.domain.local:1433
MSSQLSvc/-SQL-01.domain.local

C:\Windows\system32>setspn -l domain\sa-webservice nav webservice account
Geregistreerde ServicePrincipalNames voor CN=sa-webservice,OU=Service,OU=Account
s,OU=BKF,DC=domain,DC=local:

C:\Windows\system32>

SandeepPoonia

Revert whatever you have done for Three Tier Configuration and follow the step as given in below link. It will resolve your problem.

https://msdn.microsoft.com/en-us/library/dd301254.aspx

soetie

added

setspn -A DAW/-APP-01:7046 domain\sa-webservice
setspn -A DAW/-APP-01.domain.local:7046 domain\sa-webservice

setspn -A MSSQLSvc/-SQL-01.domain.local:1433 domain\sa-sql
setspn -A MSSQLSvc/-SQL-01:1433 domain\sa-sql

setspn -A DAW/-APP-01.domain.local:7047 domain\sa-webservice
setspn -A DAW/-APP-01:7047 domain\sa-webservice

restarted sql and nav server:
logged in from daw portal:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided. [CLIENT: 192.168.6.4]
-
The login failed when connecting to SQL Server