3-Tier setup problem with access delegation

Ian_Wilson
Ian_Wilson Member Posts: 25
edited 2009-08-19 in NAV Three Tier
I am following the Walkthrough: Installing the Three Tiers on Three Computers topic from the nav_install.chm that is on the DVD.

I have the DB, Nav Server and Nav Client machines setup running Win2k8, Win2k8 and Vista.

I have configured a Domain Account for the Nav Server service to run under and ran the command to Create a Service Principal Name. I have edited the ClientUserSettings.config and added the key as directed (<add key="DelegationInfo" value="DomainUser"></add>).

I then come to the section of the help file headed "Delegating Access to the SQL Server Service", at step 10 it says "In the list of services, click MSSQLSvc, the SQL Server service." - the problem I have is that MSSQLSvc is not listed.

It doesn't help that the online version of the walkthrough (http://msdn.microsoft.com/en-us/library/dd301254.aspx) is slightly different.

Can anyone offer any advice as to where I may have gone wrong please?

Comments

  • mihail_kolev
    mihail_kolev Member Posts: 379
    Try adding these to ClientUserSetting.config: 
    <add key="AllowNtlm" value="false" />
<add key="ServicePrincipalNameRequired" value="true" />
    Also be sure that you edit the file in the Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Microsoft Dynamics NAV directory.

    Also if not work - check your spn's.
    -Mihail- [MCTS]
  • trevoracus
    trevoracus Member Posts: 5
    Give this a shot:

    Open up the user you created to run the service in Users and Computers
    Select the Delegation tab
    Set it to “Trust this user for delegation to specified services only"
    And set it to “use Kerberos only”
    Then press “Add”
    Find the user you created to run the service (and created the SPN for)
    You should see the MSSQLSvc for the user there to add.

    If you don't then you may not have created the right SPN for the user. You can use ADSIEdit.msc to see what service principle names are for the user.

    Here are examples of the SPN I created:
    MSSQLSvc/domain.servername
    MSSQLSvc/domain.servername:1433

    Good luck!
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    Thanks for the suggestions. I will give them a try.

    One thing I should have added to the original post is that I am trying to use SQL Server 2008.

    Will update when I have had chance to test this further.
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    I am doing all of this on some Hyper-V machines, so I rolled back to bare Win2k8 and started again.

    I am just stuck at the same point.

    I have set up a Domain User called NavServer and used the following command to create the SPN (test domain is called marvel)
    C:\Users\Administrator.PDC>setspn -A DYNNAV-SERVER_DynamicsNAV/DYNNAV-SERVER.mar
vel.company.com:7046 marvel\NAVServer
Registering ServicePrincipalNames for CN=NAVServer,CN=Users,DC=marvel,DC=company
,DC=com
        DYNNAV-SERVER_DynamicsNAV/DYNNAV-SERVER.marvel.company.com:7046
Updated object

    I can see the SPN in ADSI Edit.



    Yet when I get to step 10 in the "To delegate access to the SQL Server Service" of the walkthrough (when I have right-clicked DYNNAV-SERVER and on the Delegation tab have clicked "Trust this computer for delgation to specified services only" and "Use Kerberos only" and clicked [Add] and added DYNNAV-SQL-SERVER) I see the list of "Available services:" shown here.



    MSSQLSvc is not there! ](*,)
  • alexpeck
    alexpeck Member, Microsoft Employee Posts: 37
    Are you trying to set up NAV with the NAV service running as Network Service or a domain user account? When you specify 'Trust this computer for delegation to the specified services only', this implies that you have gone to properties on the computer that is running the NAV service. If you have the NAV service running as Network Service, you should go to the properties of the computer running NAV in active directory. If you have the service running as a domain user (as the walkthough explains), you should go to properties on the user account for the NAV service in active directory.

    Earlier you said you were following the walkthrough, so I will assume this is the case. When you specify 'Trust this user for delegation to the specified services only' in AD, in the dialog when you press Add, you need to specify the SQL Server service account.

    Let's assume your NAV service is running as a domain user called marvel\NAVServer and SQL Server services run as a domain user called marvel\SqlServer.

    You should create SPNs for SqlServer as follows:

    setspn -a MSSQLSvc/SQL-SERVER.marvel.company.com marvel\SqlServer
    setspn -a MSSQLSvc/SQL-SERVER.marvel.company.com:1433 marvel\SqlServer

    where SQL-SERVER is the name of the computer where SQL Server is running.

    The SPN you gave for NAV looks good, assuming you are using NAV 2009 RTM (not hotfixed, not SP1 CTP), NAVServer is a domain user account, and DYNNAV-SERVER is the name of the computer running the NAV service.

    Now, you should be able to go into the AD snap in and find the user NavServer. Go to properties, then delegation. Press Add, then Users or Computers... and enter SqlServer. You should then see a list of services with SPNs that run under the account SqlServer - this should include MSSQLSvc.

    Alex
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    Thanks. None of those steps are in the Walkthrough.

    The SQL Database Engine User is called SQLDBE. I have set the SPNs up as per the suggestion.
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    I now have the delegation set up correctly I think?

  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    I have now set up the SQL Server Login and DB User for domain account NAVServer.



  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    Now, when I run the RTC on DYNNAV-CLIENT, it pauses for about a minute and then shows this error message.



    I have checked on the DYNNAV-CLIENT for the ClientUserSettings.config files.

    There are two;

    \\dynnav-client\c$\ProgramData\Microsoft\Microsoft Dynamics NAV
    \\dynnav-client\c$\Users\administrator\AppData\Local\Microsoft\Microsoft Dynamics NAV

    Both contain this;
    <?xml version="1.0" encoding="UTF-8"?>
<configuration>
	<appSettings>
		<add key="Server" value="DYNNAV-SERVER"></add>
		<add key="ServerInstance" value="DynamicsNAV"></add>
		<add key="ServerPort" value="7046"></add>
		<add key="DelegateInfo" value="DomainUser"></add>
	</appSettings>
</configuration>
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    I also have set the permissions on the NAV Server Folder.

    \\dynnav-server\c$\Program Files (x86)\Microsoft Dynamics NAV\60\Service

  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    On machine DYNNAV-Server, service Microsoft Dynamics NAV Server is started.

    The Log On tab shows "o This account NAVServer@marvel.company.com" and not the usual format of "MARVEL\NAVServer"

    The file \\dynnav-server\c$\Program Files (x86)\Microsoft Dynamics NAV\60\Service\CustomSettings.config contains this:
    <?xml version="1.0" encoding="UTF-8"?>
<appSettings>
	<!-- 
    The network protocol used to access the database.
    Valid options: Default, NamedPipes, Sockets
  -->
	<add key="NetType" value="Default"></add>
	<!-- 
    Name of the database server to connect to.
  -->
	<add key="DatabaseServer" value="DYNNAV-SQL"></add>
	<!--
    Name of the database to connect to.
  -->
	<add key="DatabaseName" value="Demo Database Nav (6-0)"></add>
	<!--
    Name of the Microsoft Dynamics NAV Server instance to connect
    to (for client) or listen on (for server).
  -->
	<add key="ServerInstance" value="DynamicsNAV"></add>
	<!-- 
    The listening TCP port for the Microsoft Dynamics NAV Server.
    This is part of the server's URL.
    Valid range: 1-65535
  -->
	<add key="ServerPort" value="7046"></add>
	<!-- 
    The listening HTTP port for the Microsoft Dynamics NAV 
    Business Web Services.
    This is part of the web service's URL.
    Valid range: 1-65535
  -->
	<add key="WebServicePort" value="7047"></add>
	<!--
    Turns on or off the https for Web Services
  -->
	<add key="WebServiceSSLEnabled" value="false"></add>
	<!--
    Maximum permitted size of a Web Services request, in kilobytes
  -->
	<add key="WebServicesMaxMsgSize" value="512"></add>
	<!--
    Maximum time in seconds a call from the client to the server
    may take to return.
    Time span format: [dd.]hh:mm:ss[.ff]
        dd: days
        hh: hours
        mm: minutes
        ss: seconds
        ff: fractions of a second
    Or "MaxValue" to indicate there is no timeout.
  -->
	<add key="OperationTimeout" value="MaxValue"></add>
	<!--
    The security services used to protect the client/server data stream.
    Valid options: EncryptAndSign, Sign, None
  -->
	<add key="ProtectionLevel" value="EncryptAndSign"></add>
	<!--
    Maximum number of concurrent client calls that can be active on the 
    Microsoft Dynamics NAV Server. To disable this setting set the value
    to "MaxValue".
  -->
	<add key="MaxConcurrentCalls" value="40"></add>
	<!--
    Sets the grace period within which the client can reconnect to a
    running session.
    Time span format: [dd.]hh:mm:ss[.ff]
        dd: days
        hh: hours
        mm: minutes
        ss: seconds
        ff: fractions of a second
    Or "MaxValue" to indicate there is no timeout.
  -->
	<add key="ClientReconnectPeriod" value="00:10:00"></add>
	<!--
      Threshold for when to start compressing data sets to avoid that they 
      consume prohibitive amounts of memory.
  -->
	<add key="CompressionThreshold" value="64"></add>
	<!--
      Sets the Metadata Provider cache size (in number in objects cached). 
      Set to 0 to disable cache.
  -->
	<add key="MetadataProviderCacheSize" value="150"></add>
	<!--
      Limits the size of files that can be uploaded in order to avoid out of memory errors. This value is in megabytes.
  -->
	<add key="MaxUploadSize" value="5"></add>
	<!--
      With the EnableDebugging flag set to true the Microsoft Dynamics NAV Server
       will start with debugging mode enabled.  This mode has three main functions:
      1)	Upon first connection by a RoleTailored Client all C# for that application
          will be generated.  
      2)	C# files will be persisted between server restarts.
      3)  Application Objects will be compiled with debug information.
  -->
	<add key="EnableDebugging" value="false"></add>
</appSettings>
  • alexpeck
    alexpeck Member, Microsoft Employee Posts: 37
    Your setup of the SPNs and delegation look correct.

    I think NAV will connect to SQL Server using TCP/IP if you set NetType = Default in the service config. Therefore, check whether TCP/IP is enabled on SQL Server using the SQL config management tool - I often forget this. Also, you will need to open the port (1433 by default) on the firewall.

    Since you created the SPN for NAV using a fully qualified name, I think you need to also specify a fully qualified name in the clientUserSettings.config file, e.g. <add key="Server" value="DYNNAV-SERVER.marvel.company.com"></add>.

    Also, after you make changes to SPNs you should restart the affected services.

    Alex
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    TCP/IP is enabled on the SQL Server, the firewall on all 3 machines is turned off.

    I changed the clientUserSettings.config file (both of them on the Client tier machine) to contain <add key="Server" value="DYNNAV-SERVER.marvel.company.com"></add>.

    The 3 machines can all resolve each other's name and ping each other.

    Now when I run the RTC on the Client tier PC, I get this after a minute or so pause:



    If I click [Yes] to try again, the same message is displayed after a minute or so.

    If I click [No], I am shown this:



    If I click [Connect], after a minute or so pause, I am shown this:



    So, slightly different, but back to where I was last week ](*,)
  • mihail_kolev
    mihail_kolev Member Posts: 379
    what about "DYNAV-SERVER.marvel.com/DynamicsNAV"
    -Mihail- [MCTS]
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    That produces a similar error, with just the change of server name.

  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    I saw from the MSDN article on trouble shooting connection problems (http://msdn.microsoft.com/en-us/library/dd983822.aspx) that Names Pipes needs to be enabled as well.

    It wasn't on my server, so I enabled it and still get the same problem ](*,)
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    Here is the latest.

    I have set up a 4th VM called Nav2009AllTier and installed SQL and Nav Server and both of the clients on to it using Install Demo option from the installation DVD.

    So I now have 4 machines
    • DYNNAV-SQL - The SQL Server, Win2k8 and SQL2k8
    • DYNNAV-Server - The Navision middle tier server, Win2k8
    • DYNNAV-Client - The client tier, WinVista
    • NAV2009AllTier - New server, Win2k8 and SQL2k8

    What I can do with the Classic Client

    On DYNNAV-Client I can open CRONUS on DYNNAV-SQL and on Nav2009AllTier using server name DYNNAV-SQL and Nav2009AllTier respectively.

    On NAV2009AllTier I can open CRONUS on DYNNAV-SQL using Server name DYNNAV-SQL and I can open CRONUS on Nav2009AllTier using Server name Nav2009AllTier or localhost.

    What I can do with the RTC

    On Nav2009AllTier I can open CRONUS on Nav2009AllTier using Server name Nav2009AllTier/DynamicsNAV

    On DYNNAV-Client I can open CRONUS on Nav2009AllTier using Server name Nav2009AllTier/DynamicsNAV

    What I cannot do with the RTC

    I cannot, on DYNNAV-Client or Nav2009AllTier, open Cronus using Server name DYNNAV-Server/DynamicsNAV

    ](*,)
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    This is written to the App Event Log on DYNNAV-Client when I try to use the RTC to connect to DYNNAV-Server.
    Log Name:      Application
Source:        Microsoft.Dynamics.Nav.Client
Date:          05/08/2009 16:39:00
Event ID:      0
Task Category: None
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      DYNNAV-CLIENT.marvel.company.com
Description:
Type: Microsoft.Dynamics.Nav.Types.NavServerNotFoundException
SuppressMessage: False
FatalityScope: None
Message: A server was not found at "net.tcp://dynnav-server:7046/DynamicsNAV/Service". Either the URL is incorrect or the server is currently not available.
StackTrace:
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnection()
     at Microsoft.Dynamics.Nav.Client.Forms.ChangeServiceTierForm.ConnectToUrl(String url)
Source: Microsoft.Dynamics.Nav.Client.ServiceConnection
----------------------------------
Type: System.ServiceModel.Security.SecurityNegotiationException
Message: A call to SSPI failed, see inner exception.
StackTrace:
  
  Server stack trace: 
     at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
     at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
     at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryGetChannel()
     at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel)
     at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel)
     at System.ServiceModel.Channels.ReliableChannelBinder`1.Send(Message message, TimeSpan timeout, MaskingMode maskingMode)
     at System.ServiceModel.Channels.SendReceiveReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last)
     at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientReliableDuplexSessionChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  
  Exception rethrown at [0]: 
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.Dynamics.Nav.Types.INavService.OpenConnection(ConnectionRequest connectionRequest)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
Source: mscorlib
----------------------------------
Type: System.Security.Authentication.AuthenticationException
Message: A call to SSPI failed, see inner exception.
StackTrace:
     at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
     at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
     at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
Source: System
----------------------------------
Type: System.ComponentModel.Win32Exception
NativeErrorCode: -2146893022
ErrorCode: -2147467259
Message: The target principal name is incorrect

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft.Dynamics.Nav.Client" />
    <EventID Qualifiers="0">0</EventID>
    <Level>3</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-08-05T15:39:00.000Z" />
    <EventRecordID>474</EventRecordID>
    <Channel>Application</Channel>
    <Computer>DYNNAV-CLIENT.marvel.company.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data>Type: Microsoft.Dynamics.Nav.Types.NavServerNotFoundException
SuppressMessage: False
FatalityScope: None
Message: A server was not found at "net.tcp://dynnav-server:7046/DynamicsNAV/Service". Either the URL is incorrect or the server is currently not available.
StackTrace:
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnection()
     at Microsoft.Dynamics.Nav.Client.Forms.ChangeServiceTierForm.ConnectToUrl(String url)
Source: Microsoft.Dynamics.Nav.Client.ServiceConnection
----------------------------------
Type: System.ServiceModel.Security.SecurityNegotiationException
Message: A call to SSPI failed, see inner exception.
StackTrace:
  
  Server stack trace: 
     at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
     at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
     at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
     at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryGetChannel()
     at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel)
     at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel)
     at System.ServiceModel.Channels.ReliableChannelBinder`1.Send(Message message, TimeSpan timeout, MaskingMode maskingMode)
     at System.ServiceModel.Channels.SendReceiveReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last)
     at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ClientReliableDuplexSessionChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
     at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
     at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  
  Exception rethrown at [0]: 
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at Microsoft.Dynamics.Nav.Types.INavService.OpenConnection(ConnectionRequest connectionRequest)
     at Microsoft.Dynamics.Nav.Client.ServiceConnection.OpenConnectionInternal(ConnectFailedEventArgs connectFailedArg)
Source: mscorlib
----------------------------------
Type: System.Security.Authentication.AuthenticationException
Message: A call to SSPI failed, see inner exception.
StackTrace:
     at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
     at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
     at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
Source: System
----------------------------------
Type: System.ComponentModel.Win32Exception
NativeErrorCode: -2146893022
ErrorCode: -2147467259
Message: The target principal name is incorrect
</Data>
  </EventData>
</Event>

    I cannot see anything that looks related in the Event Logs on DYNNAV-SQL or DYNNAV-Server and there is nothing NAV related in the SQL Server's log apart from an entry stating that spidxx is using xp_ndo_x64.dll to execute one of the ESPs (I am guessing this is when I connected with the Classic client).
  • alexpeck
    alexpeck Member, Microsoft Employee Posts: 37
    I would have expected to see the fully qualified name in your error message, e.g.
    Message: A server was not found at "net.tcp://dynnav-server.marvel.company.com:7046/DynamicsNAV/Service". Either the URL is incorrect or the server is currently not available.
    The client should be able to connect with either netbios or fully qualified names, even if authentication later fails once the connection has been established.

    Further down in the stack trace we can see a SecurityNegotiationException, then an AuthenticationException, then eventually a Win32Exception with the message 'The target principal name is incorrect'. This suggests to me that although it looks like you simply can't connect to the server, actually you are having a problem negotiating an authentication scheme.

    Before you try anything else, please confirm that you are using NAV 2009 without any hotfixes applied, and that you are not using the SP1 CTP2 release.

    Since your other settings look good I wonder if you have accidentally created duplicate SPNs. I would recommend skimming through this guide to troubleshooting Kerberos errors: http://technet.microsoft.com/en-us/library/cc728430(WS.10).aspx.

    In particular, try:
    Alex
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    Thanks Alex, I'll work through your suggestions on Monday and update this thread with my findings.
  • TonyH
    TonyH Member Posts: 223
    I feel your pain!

    I am having EXACTLY the same issue as you. On VMware....

    Let me know if you come across anything, and if I make a tweak and get it to work I'll do the same.

    -Edit.....
    Forgot to say, I changed my Client config file to point to the IP Address instead of FQDN and get the error

    Microsoft Dynamics NAV

    The login failed when connecting to SQL Server SRVVANSQL1.
    OK

    t
  • ara3n
    ara3n Member Posts: 9,258
    I saw this post on delegation troubleshooting that might help

    http://blogs.msdn.com/nav_developer/arc ... -2009.aspx
    Ahmed Rashed Amini
    Independent Consultant/Developer


    blog: https://dynamicsuser.net/nav/b/ara3n
  • Ian_Wilson
    Ian_Wilson Member Posts: 25
    Thanks TonyH and ara3n.

    I have not had chance to progress my test for a while. Real work getting in the way! :cry:

    I will update as soon as I can.

Categories