Hi everyone,
We've recently seen a number of cases with the 'can't connect to the Management Reporter server' error, when starting the MR client. Checking the Event Viewer, we'll see the SOAP security negotiation error along with this. This appears to be happening with MR in some environments when November Windows update and later are applied to the domain controller servers. The initial updates were KB5019964, KB5019966, KB5019081 but those have been rolled forward into later patches as well so the issue might start occurring with the December or January patches as well. The issue tends to be intermittent and can move from one machine to another. Sometimes things like rebooting will temporarily correct the issue but it typically comes back. You can read more about these updates, both planned and unplanned, here:
https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/what-happened-to-kerberos-authentication-after-installing-the/ba-p/3696351
UPDATE 3/10/2025
We have also had a few reports where this same behavior is starting around the time that the user's workstation is updated to Windows 11. These same steps have helped customers in that situation as well.
Removing the updates has worked for some users. We shouldn’t be removing Windows updates since the updates are helping with security in your network. Below are a couple of potential workarounds from the MR side we recommend first:
1. Create two SPNs for the domain account running the MR services. You must log in as a full domain administrator to do this. To create an SPN for this domain account, run the Setspn tool at an elevated command prompt (Run as Administrator) with the following commands:
?
setspn -S HTTP/Mrservername domain\customAccountName
setspn -S HTTP/MRservername.fullyqualifieddomainname domain\customAccountName
?
"MRservername" should be replaced with the MR server name where the MR Application Service is installed.
"domain\customAccountName" should be replaced with the domain account running the MR Services (check the MR Configuration Console for this account)
"MRservername.FullyQualifiedDomainName" should be replaced with the fully qualified domain name of the MR server where the MR Application Service is installed.
2. Reinstall the MR services using the built-in Network Service account:
a. Get all users out of MR and make a backup of the ManagementReporter SQL database.
b. Log into the MR server as a user who is an Administrator in MR, an Administrator on the server, and a sysadmin in SQL.
c. Start the MR Configuration Console.
d. Select the integration and use the Remove link at the top-right to remove it.
e. Under Services, use the Remove links at the top right to remove the process service and then the application service.
f. Close the Configuration Console.
g. Delete the ManagementReporterDM database from SQL if it exists.
If the MR services are installed directly on the SQL server, do this:
-In SQL, expand Security, right-click on Logins, and choose New Login.
-Click Search, click the Locations button, select the local server name, and click OK.
-Type network service into the object name field and click Check Names. Click OK.
-The user will be added as NT AUTHORITY\NETWORK SERVICE:
-Under User Mapping, check the ManagementReporter database and grant GeneralUser and public roles. Click OK.
If the MR services are installed on a server other than the SQL server, do this:
-Open a New Query in SQL. It does not matter which database is selected.
-Modify the following script for the domain and machinename of the server where the MR services are installed:
-- Create a login for the machine account
CREATE LOGIN [domain\machinename$] FROM WINDOWS
Go
?
-- Verify newly created login
SELECT * FROM sys.server_principals WHERE name LIKE 'domain\machinename%'
go
-Run the script.
-Expand Security, right-click on Logins, and choose Refresh.
-Expand logins and locate the account that was created:
-Right-click on the account and choose Properties.
-Under User Mapping, check the ManagementReporter database and grant GeneralUser and public roles. Click OK.
h. Start the MR Configuration Console. It may pop up asking what to deploy. If not, click File -> Configure.
i. Choose to deploy just the two MR services (application and process). Wait to deploy the integration until later.
j. Select the NT AUTHORITY\NETWORK SERVICE account from the drop down:
k. Mark the “Connect to an existing database checkbox”, type in the SQL instance if needed, and select the ManagementReporter database from the dropdown.
l. Click Next and you will likely get a warning about the database configuration, but this has already been completed so click Continue and then Configure.
m. Once the services are deployed, click File -> Configure and deploy the integration. Use the ‘sa’ credentials to select the DYNAMICS database. If using the data mart, enable it and wait for it to fully load.
??
3. Check the Kerberos settings in Group Policy (Start -> Run -> gpedit.msc) by going to Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Configure encryption types allowed for Kerberos.
These settings typically roll down to each computer via group policy, but it is worth checking them at the domain controllers, the MR server, and the MR client to see if they are different. They should all be the same.
MR is confirmed to work correctly with all options turned off.
If any of these options are turned on:
AES128_HMAC_SHA1
AES256_HMAC_SHA1
Future Encryption Types
?
Then this one must be enabled as well:
RC4_HMAC_MD5?
?
Thanks,
Greg Byer
Microsoft Dynamics GP Support
