Personalized Community is here!
Quickly customize your community to find the content you seek.
Latest TechTalk Videos
Have questions on moving to the cloud? Visit the Dynamics 365 Migration Community today! Microsoft’s extensive network of Dynamics AX and Dynamics CRM experts can help.
2022 Release Wave 1 PlanDynamics 365 release plan for the 2022 release wave 1 describes all new features releasing from April 2022 through September 2022.
2022 release wave 1 plan
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Community | FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | Upcoming TechTalks | All TechTalks
Versions: AX 2009/2012R2/2012R3 – not 2012RTM/FP
We introduced the possibility to enhance the Security for Microsoft Dynamics AX Server client communication.
By default we are using a Kerberos and NTLM mix. This stays unchanged if you don’t set any Registry Key.
For switching of the NTLM authentication in your environment we have now the possibility to switch to Kerberos only.
Here is how:
You need only to set on the server and client side the Registry key in the tree:
For the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dynamics Server\"AX Version"\"instance for AX"\"configuration of the instance"
For the client: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Dynamics\"AX Version"\Configuration\"Name of Configuration"
Key: authn_service(string-value) with the Value 16
This is the minimum bar and has to be done for every AOS instance and client configuration.
For the client you also can do the change over the Config file by placing the key at the end of the file:
These steps will trigger that the AOS is register a SPN for the instance during the start of the service.Of cause only if the AOS service account is allowed to do this.
If not you have to register the SPN permanent manually.
If the AOS did register the SPN proper you should see in the Application event log an entry like:
Object Server 01: Authn Service: Kerberos
On the client side you can check if the Client received his Kerberos ticket by using the tool Klist and the command "Klist tickets"
Outcome should look like:
KerbTicket Encryption Type: test contoso WS(NT)
End Time: 3/31/2014 18:52:04
Renew Time: 4/1/2014 20:42:
Additional Keys possible:
- configurable on both client and server
- allowable values: 9, 16
9 = Negotiate,
16 = Kerberos
(default value is "Default" i.e. NTLM)
- configurable on server
- event log will show error if server failed to registered SPN
- allowable values: 0, 1
0 = do not register spn
1 = register spn (default value)
- configurable on client
- allowable values: 0, 1, domain suffix
0 = do append domain suffix
1 = append domain suffix (default value)
= domain suffix (ex. mydomain.corp.com)
note: if there is no domain suffix supplied by the client config / ax load balance, the domain of the client machine is used.
- configurable on client / server
0 = do not use host format (default)
1 = use host format
0 = disables event log debug logging
1 = enables event log debugging
- configurable on server or client
- logs additional information regarding SPN registration, authentication mode, and SPN value.
Writer: Uwe Zimmermann <email@example.com>
Business Applications communities