Howdy, Stranger!
Categories
- All Categories
- 73 General
- 73 Announcements
- 66.5K Microsoft Dynamics NAV
- 18.5K NAV Three Tier
- 38.4K NAV/Navision Classic Client
- 3.6K Navision Attain
- 2.4K Navision Financials
- 115 Navision DOS
- 854 Navision e-Commerce
- 1K NAV Tips & Tricks
- 772 NAV Dutch speaking only
- 615 NAV Courses, Exams & Certification
- 2K Microsoft Dynamics-Other
- 1.5K Dynamics AX
- 264 Dynamics CRM
- 109 Dynamics GP
- 10 Dynamics SL
- 1.5K Other
- 992 SQL General
- 385 SQL Performance
- 33 SQL Tips & Tricks
- 34 Design Patterns (General & Best Practices)
- Architectural Patterns
- 10 Design Patterns
- 5 Implementation Patterns
- 53 3rd Party Products, Services & Events
- 1.7K General
- 1.1K General Chat
- 1.6K Website
- 79 Testing
- 1.2K Download section
- 23 How Tos section
- 259 Feedback
- 12 NAV TechDays 2013 Sessions
- 13 NAV TechDays 2012 Sessions
Options
Problem with delegation...
JesperTP
Member Posts: 3
Hi,
I have a three tier setup:
BCWEB1 - Running the webclient.
BCWEB2 - Running the webclient.
BCSER - Running the BC service tier
BCSQL - Running the SQL server.
dom\ser_bc - Is the service account, running both the BC Service tier, and the application pool.
BCWEB is the internal DNS name pointing to the internal Azure Load Balancer.
IIS on both web serveres are configured to use windows authentication and set to use the application pool credentials.
If I start the webclient local on one of the webservers, it works fine using https://localhost/BC18
If I go to another server, and uses either BCWEB (Load balancer) og directly to BCWEB1 or 2, i get the following error:
The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://BCSER:7046/BC18/Service". SPN Identity: "DynamicsNAV/BCSER:7046" The remote server did not satisfy the mutual authentication requirement.
I did a lot of investigation, and managed to get it to work by allow delegation to the computer account BCWEB1 and 2.
But it only lasted for one day... Then the webservers needed to be rebooted, in order fro kerberos to work.
I think I might have ran into this error:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/kerberos-and-load-balancing/ba-p/399539
But it states that I should not assign delegations to the computer object but to the service user runníng the app pool.
The user has the DynamicsNAV/BCSER:7046 delegation but I'm stuck with the error:
The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://BCSER:7046/BC18/Service". SPN Identity: "DynamicsNAV/BCSER:7046" The remote server did not satisfy the mutual authentication requirement.
Can anyone point me in the right direction?
I have a three tier setup:
BCWEB1 - Running the webclient.
BCWEB2 - Running the webclient.
BCSER - Running the BC service tier
BCSQL - Running the SQL server.
dom\ser_bc - Is the service account, running both the BC Service tier, and the application pool.
BCWEB is the internal DNS name pointing to the internal Azure Load Balancer.
IIS on both web serveres are configured to use windows authentication and set to use the application pool credentials.
If I start the webclient local on one of the webservers, it works fine using https://localhost/BC18
If I go to another server, and uses either BCWEB (Load balancer) og directly to BCWEB1 or 2, i get the following error:
The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://BCSER:7046/BC18/Service". SPN Identity: "DynamicsNAV/BCSER:7046" The remote server did not satisfy the mutual authentication requirement.
I did a lot of investigation, and managed to get it to work by allow delegation to the computer account BCWEB1 and 2.
But it only lasted for one day... Then the webservers needed to be rebooted, in order fro kerberos to work.
I think I might have ran into this error:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/kerberos-and-load-balancing/ba-p/399539
But it states that I should not assign delegations to the computer object but to the service user runníng the app pool.
The user has the DynamicsNAV/BCSER:7046 delegation but I'm stuck with the error:
The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://BCSER:7046/BC18/Service". SPN Identity: "DynamicsNAV/BCSER:7046" The remote server did not satisfy the mutual authentication requirement.
Can anyone point me in the right direction?
0