Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.6K Microsoft Dynamics NAV
- 18.7K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 301 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 993 SQL General
- 384 SQL Performance
- 34 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Webservices - SETSPN - NAV2016 - Issue
BennyVL
Member Posts: 10
When a middltier-service-account has the correct rights in AD (Write Public Information - SELF), it can register his own SPN's.
If you enable everything you get:
DynamicsNAV/instance:7045
DynamicsNAV/instance.domain:7045
DynamicsNAV/server:7046
DynamicsNAV/server.domain:7046
DynamicsNAV/server:7047
DynamicsNAV/server.domain:7047
DynamicsNAV/server:7048
DynamicsNAV/server.domain:7048
The result is that the webservice is working on the server itself but we can't call it from other machines.
There's something wrong with the Kerberos security, the pré-authentication fails.
This I can solve by creating an extra SPN
HTTP/server domain\ServiceAccount
HTTP/server.domain domain\ServiceAccount
But at that this point we lose the webclient-functionality and the remote-powershell-functionality.
This last issue we can solve by creating a second SPN
http/server:5985 server
http/server.domain:5985 server
https/server:5986 server
https/server.ktn.group:5986 server
Anyone has an idea?
If you enable everything you get:
DynamicsNAV/instance:7045
DynamicsNAV/instance.domain:7045
DynamicsNAV/server:7046
DynamicsNAV/server.domain:7046
DynamicsNAV/server:7047
DynamicsNAV/server.domain:7047
DynamicsNAV/server:7048
DynamicsNAV/server.domain:7048
The result is that the webservice is working on the server itself but we can't call it from other machines.
There's something wrong with the Kerberos security, the pré-authentication fails.
This I can solve by creating an extra SPN
HTTP/server domain\ServiceAccount
HTTP/server.domain domain\ServiceAccount
But at that this point we lose the webclient-functionality and the remote-powershell-functionality.
This last issue we can solve by creating a second SPN
http/server:5985 server
http/server.domain:5985 server
https/server:5986 server
https/server.ktn.group:5986 server
Anyone has an idea?
0
Best Answer
-
BennyVL
Member Posts: 10
Final resolution in collaboration with Microsoft:
https://blogs.msdn.microsoft.com/nav/2018/02/14/service-principal-names-spn-for-dynamics-nav-web-services/0
Answers
Possible workaround; Use a separate application service for web services, allowing NTLM only there?
Also, if you run the NAV service with user as Network Service you won't have this issue afaik.
Kind regards, Gudmundur
https://blogs.msdn.microsoft.com/nav/2018/02/14/service-principal-names-spn-for-dynamics-nav-web-services/