NAV 2009 R2 : RTC connects fine on NST, gets error on workstation

paxon · 2017-11-08

Hi!

We've got a working configuration of NAV 2009 R2 passed on from previous team with NST and DB-Tier run on the same server. We are trying to move NST to separate one. After creating all SPN mentioned in MS FAQ and setting up delegating permissions we have quite weird result. RTC runs fine on NST server. When run on any other machine (incl. DB-Tier) it shows the following error:

Microsoft Dynamics NAV

The login failed when connecting to SQL Server DBTIER.FQDN.NAME\SQL_INSTANCE_NAME.

OK

At the same time SQL server logs:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. Reason: Could not find a login matching the name provided.

Any ideas?

Thank you in advance!

Slawek_Guzek · 2017-11-08

It looks like you're running the NST under Network Service account.

Network Service is a local account, if you're separating the SQL from the NST the permission given in SQL database to Network Service is no longer valid, as the Network Service on machine A is not the same as Network Service on machine B.

You need to add relevant permissions in you database to the your_domain\your_NST_server_name$ account

Slawek

paxon · 2017-11-08

Thank you for prompt reply, Slawek!

Slawek_Guzek wrote: »

It looks like you're running the NST under Network Service account.

All services in question run with dedicated accounts, no NetworkService is used. We'd tried to grant same privileges and SPN to nav server computer account and switch to NetworkService - no changes occured then.

Here are current listings for setspn -L:

Registered ServicePrincipalNames for CN=NavServiceAccount:
DynamicsNAV/navserver.fqdn.name:7046
DynamicsNAV/navserver:7046

Registered ServicePrincipalNames for CN=SQLServiceAccount:
MSSQLSvc/sqlserver:5433
MSSQLSvc/sqlserver.fqdn.name:5433

Slawek_Guzek · 2017-11-08

Have you changed the default port number for the SQL Server to 5433?

paxon · 2017-11-08

Yes, I guess it's a kind of security trick from technical service, DB and AD administration is not my responsibility. I don't have enough privileges to manipulate AD as well. NavServiceAccount has sysadmin role on DB instance.

There is no difference between results of connecting via RTC with NavServiceAccount or my own credentials. The result seems to depend solely on computer running RTC.

P.S. I'm new to posting in this forum. Please excuse me if my Answers:No mark affects your profile. Let me know if it does. I was confused by "Answered" state of question.

Slawek_Guzek · 2017-11-08

That's OK., If it does not answer your question you should mark it accordingly. Marking as answer no don't have any impact (although the post looks ugly all red

)

Can you ask your AD admin to check if NavServiceAccount is trusted for delegation? Also please check if it is marked as Kerberos Only - you may want to untick that one.

Slawek

paxon · 2017-11-22

Slawek, thank you!

Finally got the 3-Tier to work. I can't point exact action, here is the list of them:
1) Recreated SPN for NST - I believed that I either mistyped Service Principal Name or chosen wrong SPN (i.e. DynamicsNAV instead of instance-specific SPN).
2) Re-enabled Kerberos in delegation tab of NavServiceAccount and SQLServiceAccount and explicitly added corresponding SPNs.
3) Tried to run service with limited privileges as ordinary user - some guys on the Web mentioned this way to "purge Kerberos cache".

I will list most instance-specific configuration in details once I create pre-production environment (with WS and integration).

Howdy, Stranger!

Quick Links

Categories

NAV 2009 R2 : RTC connects fine on NST, gets error on workstation

Answers