共用方式為


NAV 2009 Web Services on a three machine setup

Much like the setup of the RTC/NAV Server connection in NAV 2009. NAV 2009 Web Services needs to have a SPN added to properly authentic the users accessing it.

Consider the following scenario in Microsoft Dynamics NAV 2009. You have just completed the “Installing the Three Tiers on Three Computers” walkthrough. The NAV Role Tailored Client (RTC) is working. You have started the Microsoft Dynamics NAV Business Web Services service. When you attempt to view a Web Service URL in a web browser from a client machine you receive a login prompt. If you try to login, you are prompted three times before the process is stopped. An example of possible Web Service URLs is:

https://xxx:7047/DynamicsNAV/WS//Services
https://xxx:7047/DynamicsNAV/WS/SystemService

Note xxx is the server name of the Service Tier. This also assumes that you are using the default port (7047) and default service name (DynamicsNAV).

This problem occurs because a Service Principal Name (SPN) has not been added to the domain user account running the Microsoft Dynamics NAV Business Web Services service for the HTTP service, which is the normal service name used by web services.

Resolution

In order to eliminate the login prompts and allow authorized users to view the Web Services URL, you need to add the following SPNs to the domain user account running the Microsoft Dynamics NAV Business Services service.

HTTP/FullyQualifiedDomainNameOfNavWebServiceServer
HTTP/NameOfNavWebServiceServer

Now, I'm sure you all know if you use the ADSI Edit snap-in, or another utility such as the LDP or LDAP 3 utilities to incorrectly modify attributes to AD objects you could seriously mess up the AD, so be careful. Also, you need to be a domain admin to make the following changes.

To add the SPNs from a domain server, follow these steps:

  1. Click Start, click Run, type Adsiedit.msc, and then click OK.
    Note The ADSIEdit tool is included in the Windows Server 2003 Support Tools. If you are using Windows Server 2008 the ADSIEdit tool will already be installed. To obtain the Windows Server 2003 Support Tools, visit the following Microsoft Web site: https://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

  2. In the ADSI Edit snap-in, expand Domain [DomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= AccountName , and then click Properties. If you are on a server running Windows Server 2008, you may need to first connect and bind to an instance.
    Notes
    DomainName is a placeholder for the name of the domain.
    RootDomainName is a placeholder for the name of the root domain.
    AccountName is a placeholder for the account that you specify to start the NAV Server service.
    If you specify a domain user account to start the NAV Server service, AccountName is a placeholder for the domain user account.

  3. In the Properties dialog window locate the servicePrincipalName attribute and double click it to open the Editor Dialog window.

  4. Using the following format enter the following two SPNs individually. Click the Add button to add each SPN.

    HTTP/FullyQualifiedDomainNameOfNavWebServiceServer
    HTTP/NameOfNavWebServiceServer

  5. When finished, click OK, and then OK. Finally close the ADSI Edit window.

Additional Information

Since Kerberos ticket usually expire after 10 hours, you may need to purge the current Kerberos tickets from client machine before the setup of the Microsoft Dynamics NAV Outlook Add-in can be completed in Microsoft Outlook.

With Kerbtray.exe, you can easily verify or remove (or both) Kerberos tickets from any of the associated computers that are being used. To download the Kerbtray utility, visit the following Microsoft Web site:

https://www.microsoft.com/downloads/details.aspx?FamilyID=4e3a58be-29f6-49f6-85be-e866af8e7a88&displaylang=en

Scott Wright
Microsoft Dynamics NA

Microsoft Customer Service and Support (CSS) North America

These postings are provided "AS IS" with no warranties and confer no rights. You assume all risk for your use.

Comments

  • Anonymous
    January 19, 2009
    Thanks for this info. Is the Credentials property in the _Binding class supported in order to allow defining credentials in code, e.g.       Dim _service As New WebService.Item_Binding        Dim _credentials As System.Net.ICredentials = New System.Net.NetworkCredential("myname", "mypwd", "ourdomain")        _service.UseDefaultCredentials = False        _service.Credentials = _credentials I can't seem to get this to work, always get an unauthorized error. Am I missing something? /Bruno

  • Anonymous
    January 20, 2009
    The comment has been removed

  • Anonymous
    February 01, 2009
    When I started blogging just short of two years ago, there weren’t too many NAV blogs. I don’t bother

  • Anonymous
    February 11, 2009
    Hi there.  This  question may fall under a seprate posting for the NAV server but I could not find one so... I am having an issue with my middle tier NAV server authenticating with my machine that is hosting SQL server 2005. Please note, these are all test machines for a proof of concept.  I am testing the three-tier approach as this is how will we use it in production. The NAV server is using the same test domain acount as the SQL server service for simplicity. My client reaches the NAV server with no issue. I set domain user delagation on the client settings.  When the request reaches the SQL server, it is erroring due to AD sending it the ananymous login.  We used setspn to register the mssqlsvc service with sql machine and the test account. It stated that it (updated object), but I've had no luck.  Interestingly, if I do list of the machines spn's the new service does not show.  Could you assist?

  • Anonymous
    February 11, 2009
    The comment has been removed

  • Anonymous
    April 02, 2009
    Greetings,  I have a follow up question in the use of "delegation".  If am using a specific domain service account to run my production NAS (not to be confused with NAV) server for NAV 3.7B, do I run any risk in setting up delegation for this account so I can use it in testing the NAV 2009 service tier? In other words, will it open up any security holes or damage the priviledges the account has currently?

  • Anonymous
    April 20, 2009
    The comment has been removed

  • Anonymous
    April 22, 2009
    Thank you for the response Scott.  I have a one more on this subject I would like to ask.  I am now using my NAV server domain service account to run two separate NAV servers, each on their own machine.  One is for development and the other for system testing.  Since each spn associated with the account is unique I have no issues expect when trying to switch between the servers with a “running” client.   In other words, if I switch the client machines clientusersettings.config server settings and then open the client I have no problem bouncing between servers, but when I try to do this from the running client, I get the sql login message issue we saw from my earlier posts.   Any recommendations on how to solve this…besides using completely separate service accounts?  : I would like to avoid having too keep track and maintain a bundle of service accounts for my landscape. Best Regards (and welcome back), Robert

  • Anonymous
    April 27, 2009
    The comment has been removed

  • Anonymous
    May 26, 2009
    Hello Scott, First, very good Blog. This is information I have not been able to find anywhere else. I am currently receiving the "Login Failed for user 'NT AuthorityANONYMOUS' LOGON" error when attempting to view any WSDL from a what would be considered the "client machine" in the three tier architecture. However, I can view the WSDL using IE on the Server tier. This may be caused by the following: In the walkthrough "Installing the Three Tiers on Three Computers", I am instructed to setup Delegation. This option in only available if your domain functional level is Windows 2003. Currently my domain is Windows 2000 native and I cannot raise the domain functional level because we have a couple of older severs that are Windows 2000. So my question is that on a domain such as mine, where i have approx. 40 servers, if at least one of those servers are Windows 2000 and delegation is not available, is there any other option for using the three tier architecture? Regards, Aaron

  • Anonymous
    May 28, 2009
    The comment has been removed

  • Anonymous
    May 30, 2010
    Hi Guys, I've been through the "Installing the Three Tiers on Three Computers" walkthrough, and now my RTC is working fine. I now need to follow the instructions above for the Web services. Just wondering, do I need the port number (i.e. :7047) at the end of the setspn string when setting the SPN through a command prompt for the web service?? Thanks, Mark

  • Anonymous
    May 31, 2010
    The comment has been removed