Breaking news from around the world
Get the Bing + MSN extension
Now Available in Community - MBAS 2019 Presentation Videos
Catch the most popular sessions on demand and learn how Dynamics 365, Power BI, PowerApps, Microsoft Flow, and Excel are powering major transformations around the globe. | View Gallery
2019 release wave 2 Discover the latest updates to Dynamics 365Release overview guides and videos Release Plan | Early Access Availability
Ace your Dynamics 365 deployment with packaged services delivered by expert consultants. | Explore service offerings
Connect with the ISV success team on the latest roadmap, developer tool for AppSource certification, and ISV community engagements | ISV self-service portal
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Program | Finance TechTalks | Customer Engagement TechTalks | Talent TechTalks | Upcoming TechTalks
Versions: AX 2009/2012R2/2012R3 – not 2012RTM/FP
We introduced the possibility to enhance the Security for Microsoft Dynamics AX Server client communication.
By default we are using a Kerberos and NTLM mix. This stays unchanged if you don’t set any Registry Key.
For switching of the NTLM authentication in your environment we have now the possibility to switch to Kerberos only.
Here is how:
You need only to set on the server and client side the Registry key in the tree:
For the server: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dynamics Server\"AX Version"\"instance for AX"\"configuration of the instance"
For the client: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Dynamics\"AX Version"\Configuration\"Name of Configuration"
Key: authn_service(string-value) with the Value 16
This is the minimum bar and has to be done for every AOS instance and client configuration.
For the client you also can do the change over the Config file by placing the key at the end of the file:
These steps will trigger that the AOS is register a SPN for the instance during the start of the service.Of cause only if the AOS service account is allowed to do this.
If not you have to register the SPN permanent manually.
If the AOS did register the SPN proper you should see in the Application event log an entry like:
Object Server 01: Authn Service: Kerberos
On the client side you can check if the Client received his Kerberos ticket by using the tool Klist and the command "Klist tickets"
Outcome should look like:
KerbTicket Encryption Type: test contoso WS(NT)
End Time: 3/31/2014 18:52:04
Renew Time: 4/1/2014 20:42:
Additional Keys possible:
- configurable on both client and server
- allowable values: 9, 16
9 = Negotiate,
16 = Kerberos
(default value is "Default" i.e. NTLM)
- configurable on server
- event log will show error if server failed to registered SPN
- allowable values: 0, 1
0 = do not register spn
1 = register spn (default value)
- configurable on client
- allowable values: 0, 1, domain suffix
0 = do append domain suffix
1 = append domain suffix (default value)
<string> = domain suffix (ex. mydomain.corp.com)
note: if there is no domain suffix supplied by the client config / ax load balance, the domain of the client machine is used.
- configurable on client / server
0 = do not use host format (default)
1 = use host format
0 = disables event log debug logging
1 = enables event log debugging
- configurable on server or client
- logs additional information regarding SPN registration, authentication mode, and SPN value.
Writer: Uwe Zimmermann <firstname.lastname@example.org>
Business Applications communities