Hi,
I have a three tier setup:
BCWEB1 - Running the webclient.
BCWEB2 - Running the webclient.
BCSER - Running the BC service tier
BCSQL - Running the SQL server.
dom\ser_bc - Is the service account, running both the BC Service tier, and the application pool.
BCWEB is the internal DNS name pointing to the internal Azure Load Balancer.
IIS on both web serveres are configured to use windows authentication and set to use the application pool credentials.
If I start the webclient local on one of the webservers, it works fine using
https://localhost/BC18
If I go to another server, and uses either BCWEB (Load balancer) og directly to BCWEB1 or 2, i get the following error:
The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://BCSER:7046/BC18/Service". SPN Identity: "DynamicsNAV/BCSER:7046" The remote server did not satisfy the mutual authentication requirement.
I did a lot of investigation, and managed to get it to work by allow delegation to the computer account BCWEB1 and 2.
But it only lasted for one day... Then the webservers needed to be rebooted, in order fro kerberos to work.
I think I might have ran into this error:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/kerberos-and-load-balancing/ba-p/399539
But it states that I should not assign delegations to the computer object but to the service user runníng the app pool.
The user has the DynamicsNAV/BCSER:7046 delegation but I'm stuck with the error:
The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://BCSER:7046/BC18/Service". SPN Identity: "DynamicsNAV/BCSER:7046" The remote server did not satisfy the mutual authentication requirement.
Can anyone point me in the right direction?