Problem in RTC while connecting from a separate client m/c

2»

Comments

  • XIII
    XIII Member Posts: 6
    The issue is resolved, as we suspected the SPN was the problem. We found a solution by Lars Lohndorf-Larsen on :
    http://blogs.msdn.com/nav_developer/archive/2009/06/12/setting-up-nav-2009-on-three-machines.aspx

    The SPN in our case had to be :
    DynamicsNAV/NAV-SERVER.Domain.com:7046

    as opposed to the old :
    NAV-SERVER_DynamicsNAV/NAV-SERVER.Domain.com:7046

    Thnx all for the help.
  • aliennav
    aliennav Member Posts: 449
    Is it necessary that the server and the client machines should be in the same domain??
    I mean, isn't it enough for them to be in same LAN??
  • kine
    kine Member Posts: 12,562
    aliennav wrote:
    Is it necessary that the server and the client machines should be in the same domain??
    I mean, isn't it enough for them to be in same LAN??

    You need to take into account that they are using Windows Authentication, it means if they are not in same domain, you need to set somehow the authentication to work... ;-)
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • aliennav
    aliennav Member Posts: 449
    kine wrote:
    aliennav wrote:
    Is it necessary that the server and the client machines should be in the same domain??
    I mean, isn't it enough for them to be in same LAN??

    You need to take into account that they are using Windows Authentication, it means if they are not in same domain, you need to set somehow the authentication to work... ;-)


    Hi Kine
    I can unbderstand that in this case domain is required but I am asking in general that LAN will work or I should add the system in domain (both the systems in same domain).??
  • kine
    kine Member Posts: 12,562
    LAN and domain are two different things on two different levels. You cannot make some relation between them, thus I do not understand your question.

    LAN is about physical network between computers and other devices (routers, switches, pc etc.). Domain is about authentication, logical organization of devices, users etc. (domain, tree, forest, OUs, groups, users, etc.).
    Kamil Sacek
    MVP - Dynamics NAV
    My BLOG
    NAVERTICA a.s.
  • aliennav
    aliennav Member Posts: 449
    kine wrote:
    LAN and domain are two different things on two different levels. You cannot make some relation between them, thus I do not understand your question.

    LAN is about physical network between computers and other devices (routers, switches, pc etc.). Domain is about authentication, logical organization of devices, users etc. (domain, tree, forest, OUs, groups, users, etc.).


    Got it.
    Thanx
  • aliennav
    aliennav Member Posts: 449
    kine wrote:
    LAN and domain are two different things on two different levels. You cannot make some relation between them, thus I do not understand your question.

    LAN is about physical network between computers and other devices (routers, switches, pc etc.). Domain is about authentication, logical organization of devices, users etc. (domain, tree, forest, OUs, groups, users, etc.).


    When there are 2 different domains involved,then what should I do??

    I have heared a thing called domain trust but the documentation is not good.Can you provide me with some good documentation??
    Thanx in advance
  • mihail_kolev
    mihail_kolev Member Posts: 379
    Did you add the keys in the client config file?
    <add key="DelegationInfo" value="DomainUser"></add>
    <add key="AllowNtlm" value="false"></add>
    <add key="ServicePrincipalNameRequired" value="true"></add>

    I just looked over the posts, sorry if i replicate smth/smbd.

    NAV Server and SQL Server services also need to use one domain account as Logon account.

    Also try to set the user not using "Kerberos only" but any authentication protocol. For some reason in my case the relation Client<->NAV Server is using NTLM, and NAV Server<->SQL is using Kerberos. I'm still troubleshooting this but the client is working fine.

    And once again - manage your SPNs if you're not.

    Good luck :)
    -Mihail- [MCTS]
  • alexpeck
    alexpeck Member, Microsoft Employee Posts: 37
    In NAV 2009 SP1 we have simplified the process of configuring delegation. You no longer have to specify whether the service runs as a local or domain account in client config, and you now have better control over the authentication scheme - you can specify whether you want to allow authentication via NTLM and whether an SPN is required.

    In summary, the DelegationInfo key only applies to NAV 2009. The AllowNtlm and ServicePrincipalNameRequired keys apply only to NAV 2009 SP1.

    The walkthrough in the documentation (installing three tiers on three computers) describes a set up where both SQL and NAV services run under the same service account. Perhaps the documentation is misleading, but this is not a requirement. It is more secure to use discrete service accounts.

    @mihail_kolev: In Active Directory, if you trust a user to present delegated credentials using any protocol, you are allowing NTLM. If you want to force the RTC to authenticate using Kerberos, set the 'Use Kerberos only' option in Active Directory, and for SP1 clients set the config key AllowNtlm=false.

    Alex
  • mihail_kolev
    mihail_kolev Member Posts: 379
    alexpeck wrote:
    ...
    @mihail_kolev: In Active Directory, if you trust a user to present delegated credentials using any protocol, you are allowing NTLM. If you want to force the RTC to authenticate using Kerberos, set the 'Use Kerberos only' option in Active Directory, and for SP1 clients set the config key AllowNtlm=false.

    Alex

    Well, I know that, but when I set it to "Kerberos only", the NAV Service is using the NTLM connecting to SQL server, when is set to "Any protocol" it uses Kerberos authentication.
    -Mihail- [MCTS]
  • aliennav
    aliennav Member Posts: 449
    I created the domain trust and it's working fine.
    That means YES there is something called as domain trust required for running RTC in 2 different domains.
    Thanx

Categories