Webservices - SETSPN - NAV2016 - Issue
BennyVL
Member Posts: 10
When a middltier-service-account has the correct rights in AD (Write Public Information - SELF), it can register his own SPN's.
If you enable everything you get:
DynamicsNAV/instance:7045
DynamicsNAV/instance.domain:7045
DynamicsNAV/server:7046
DynamicsNAV/server.domain:7046
DynamicsNAV/server:7047
DynamicsNAV/server.domain:7047
DynamicsNAV/server:7048
DynamicsNAV/server.domain:7048
The result is that the webservice is working on the server itself but we can't call it from other machines.
There's something wrong with the Kerberos security, the pré-authentication fails.
This I can solve by creating an extra SPN
HTTP/server domain\ServiceAccount
HTTP/server.domain domain\ServiceAccount
But at that this point we lose the webclient-functionality and the remote-powershell-functionality.
This last issue we can solve by creating a second SPN
http/server:5985 server
http/server.domain:5985 server
https/server:5986 server
https/server.ktn.group:5986 server
Anyone has an idea?
If you enable everything you get:
DynamicsNAV/instance:7045
DynamicsNAV/instance.domain:7045
DynamicsNAV/server:7046
DynamicsNAV/server.domain:7046
DynamicsNAV/server:7047
DynamicsNAV/server.domain:7047
DynamicsNAV/server:7048
DynamicsNAV/server.domain:7048
The result is that the webservice is working on the server itself but we can't call it from other machines.
There's something wrong with the Kerberos security, the pré-authentication fails.
This I can solve by creating an extra SPN
HTTP/server domain\ServiceAccount
HTTP/server.domain domain\ServiceAccount
But at that this point we lose the webclient-functionality and the remote-powershell-functionality.
This last issue we can solve by creating a second SPN
http/server:5985 server
http/server.domain:5985 server
https/server:5986 server
https/server.ktn.group:5986 server
Anyone has an idea?
0
Best Answer
-
Final resolution in collaboration with Microsoft:
https://blogs.msdn.microsoft.com/nav/2018/02/14/service-principal-names-spn-for-dynamics-nav-web-services/0
Answers
-
Extra info : If I enable NTLM everything is working but we don't want to use NTLM.0
-
Hi Benny.
Possible workaround; Use a separate application service for web services, allowing NTLM only there?
Also, if you run the NAV service with user as Network Service you won't have this issue afaik.
Kind regards, Gudmundur0 -
Final resolution in collaboration with Microsoft:
https://blogs.msdn.microsoft.com/nav/2018/02/14/service-principal-names-spn-for-dynamics-nav-web-services/0
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 116 Navision DOS
- 851 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 617 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 323 Dynamics CRM
- 111 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 990 SQL General
- 383 SQL Performance
- 34 SQL Tips & Tricks
- 35 Design Patterns (General & Best Practices)
- 1 Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.6K General
- 1.1K General Chat
- 1.6K Website
- 83 Testing
- 1.2K Download section
- 23 How Tos section
- 252 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions