Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 304 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 260 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
webservice error SQL authentication failed / delegation error
disto
Member Posts: 3
NAV 2009 R2
Hi,
I have some trouble using the webservice.
We're using the 3 tier environment without any problem for some years now.
Now we also want to use the webservice so I walked through this thread:
How to: Configure Web Services with Delegation
The NAVServerService and The NAVWebservice are running with the same domain user account.
Also the SQL-Server is running with the same account.
SPN for the domain user account running the services:
DynamicsNAV/NAVSERVER.domain.de:7046
DynamicsNAV/NAVSERVER:7046
http/NAVSERVER.domain.de:7047
http/NAVSERVER:7047
MSSQLSvc/SQLSERVER.domain.de:1433
MSSQLSvc/SQLSERVER:1433
I've set the delegation for the domain user account as described in the walkthrough for the 3-Tier installation.
So the user is trusted for delegation to the MSSQLSvc on SQLSERVER, with Kerberos only.
With RTC everything works properly.
When I try to call the webservice with a Browser (IE or chrome) with a domain user (i.e. domain\user1) I get:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<s:Fault>
<faultcode xmlns:a="urn:microsoft-dynamics-schemas/error">
a:Microsoft.Dynamics.Nav.Types.NavDatabasePasswordException
</faultcode>
<faultstring xml:lang="de-DE">
The login failed when connecting to SQL Server SQLSERVER.
</faultstring>
<detail>
<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">
The login failed when connecting to SQL Server SQLSERVER.
</string>
</detail>
</s:Fault>
</s:Body>
</s:Envelope>
Calling the webservice from any client with the domain user account running the services is working properly.
In the event log from the NAVSERVER I can see, that a domain user (i.e. domain\user1) logon correct with logon type 3 (network).
But in the event log from the SQLSERVER I can see, a logn error "NT-AUTHORITY\ANONYMOUS LOGON" with event id 18456.
So I think there is a problem with the delegation.
But I can't find any configuration issue.
Any help is appreciated - thank you.
best regards
Dirk
Hi,
I have some trouble using the webservice.
We're using the 3 tier environment without any problem for some years now.
Now we also want to use the webservice so I walked through this thread:
How to: Configure Web Services with Delegation
The NAVServerService and The NAVWebservice are running with the same domain user account.
Also the SQL-Server is running with the same account.
SPN for the domain user account running the services:
DynamicsNAV/NAVSERVER.domain.de:7046
DynamicsNAV/NAVSERVER:7046
http/NAVSERVER.domain.de:7047
http/NAVSERVER:7047
MSSQLSvc/SQLSERVER.domain.de:1433
MSSQLSvc/SQLSERVER:1433
I've set the delegation for the domain user account as described in the walkthrough for the 3-Tier installation.
So the user is trusted for delegation to the MSSQLSvc on SQLSERVER, with Kerberos only.
With RTC everything works properly.
When I try to call the webservice with a Browser (IE or chrome) with a domain user (i.e. domain\user1) I get:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">
<s:Body>
<s:Fault>
<faultcode xmlns:a="urn:microsoft-dynamics-schemas/error">
a:Microsoft.Dynamics.Nav.Types.NavDatabasePasswordException
</faultcode>
<faultstring xml:lang="de-DE">
The login failed when connecting to SQL Server SQLSERVER.
</faultstring>
<detail>
<string xmlns="http://schemas.microsoft.com/2003/10/Serialization/">
The login failed when connecting to SQL Server SQLSERVER.
</string>
</detail>
</s:Fault>
</s:Body>
</s:Envelope>
Calling the webservice from any client with the domain user account running the services is working properly.
In the event log from the NAVSERVER I can see, that a domain user (i.e. domain\user1) logon correct with logon type 3 (network).
But in the event log from the SQLSERVER I can see, a logn error "NT-AUTHORITY\ANONYMOUS LOGON" with event id 18456.
So I think there is a problem with the delegation.
But I can't find any configuration issue.
Any help is appreciated - thank you.
best regards
Dirk
0
Best Answer
-
disto
Member Posts: 3
Hi,
the problem is already solved.
The solution is to untick the "use kerberos only" for authentication option for the service user account which is trusted for delegation. By selecting use any authentication instead you enable NTLM Authentication. This is called protocol transition.
If you tick "use kerberos only" this prevents using NTLM and forces to authenticate only with kerberos. But the browser uses NTLM Authentication.5
Answers
Independent Consultant/Developer
blog: https://dynamicsuser.net/nav/b/ara3n
thank you for your reply.
Which SPN's do you mean?
There are just the typical SPN's set for this Server. For example Host/.. WSMAN/.. TERMSRV/.. and so on. There is no SPN set for DynamicsNAV/, http/ or MSSQLSrv/ for the Server.
These SPN's are only set to the domain user account under which the services are running.
As already mentioned the 3-Tier Environment with RTC works properly.
regards
Dirk
the problem is already solved.
The solution is to untick the "use kerberos only" for authentication option for the service user account which is trusted for delegation. By selecting use any authentication instead you enable NTLM Authentication. This is called protocol transition.
If you tick "use kerberos only" this prevents using NTLM and forces to authenticate only with kerberos. But the browser uses NTLM Authentication.