Troubleshooting when the Web Management Console for Microsoft Dynamics GP Web Components isn’t working.

You’ve just installed Microsoft Dynamics GP Web Client, and everything is running, except when you go to access the Web Management Console and you run into issues……This blog will go over a few different resolutions to get the Web Management Console working and accessible.

1. The first thing we’d want to verify is that you’re logged on to the machine as a Windows account that has been added to the domain security group specified to have access to the Web Management Console, when Web Client was installed. If your account is not a member of this specified group, you won’t have access.  This domain group can be different than the domain group giving users access to the Web Client application.

        2. When attempting to access the Web Management Console, if you're continually prompted for the Session Central Service URL, but even though you have the correct URL entered, it won't accept it, you can stop and restart the GP Session Central Service and GP Session Service, then verify that you can successfully login to the Dynamics GP Web Client itself, before testing the Web Management Console again.

        3. Also, the call to verify the Session Central Service URL, when accessing the Web Management Console, is using TLS 1.2 via the code. Make sure that TLS 1.2 is enabled on the server(s) that Web Client is installed onto.

        4. On the server(s) where Web Client and the Web Management Console are installed, look in the Event Viewer logs, particularly the ‘Dynamics’ log, for error or warning information related to Web Client and the Web Management Console.

        5. In the Event Viewer log, if you see a message stating something like this: “An error occurred while enumerating the group membership. The member’s SID could not be resolved”, what we frequently see cause this type of error is there is some type of mismatch between the domain security group in Active Directory specified to have access to the Web Management Console.

             This can also occur in the local administrator group on the server itself.

             What you’ll see is not the name of the user account but a SID number that will look something like this:  S-1234….

             If you remove this unknown SID number from the group, then you can test the Web Management Console again and see if it is now working as expected.

       6.  When accessing the Web Management Console (i.e. https://SSLCertificateHostName/WebManagementConsole), if you’re continually prompted for the Session Central Service URL, before ending in a 401.1 error, it could be that you’re running into a loopback issue.

           Microsoft is designed to have this disabled as a security issue as most System Administrators do not want the loopback address enabled. However, for the purpose of Web Client and SBA, it is a requirement for both SBA and Web Client’s Web Management Console to be used on the server on which Web Client is installed.

           Without this in place, the Web Management Console is not able to write the entry to SQL correctly and therefore it is constantly asking for the session host addresses. For the Web Management Console, it’s usually the address for the Session Central Service URL.

           You can verify this by going onto a secondary machine that Web Client is not installed onto, and accessing the Web Management Console successfully, which would indicate this loopback issue is present.

     A couple of options that you can enable on the Web Client server itself, are:

 Option 1:

--Add this registry entry by PowerShell

      New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name “DisableLoopbackCheck” -value “1” -PropertyType dword

Option 2:

--Set the DisableStrictNameChecking registry entry to 1

  1. Click on Start > Run, type in Regedit and click OK to open the Registry Editor.

  2. In Registry Editor, locate and then click on the following registry key:

     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0

  3. Right-click MSV1_0, point to New, and then click Multi-String Value.

  4. Type BackConnectionHostNames and then click Modify.

  5. In the Value data box, type the host name or the host names for the sites that are on the local computer and then click OK.

Option 3:

--Set the DisableLoopbackCheck regtistry entry to be enabled

   1. Click on Start > Run, type in Regedit and click OK to open the Registry Editor.

   2. In Registry Editor, locate the following registry key:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

   3. Right-click Lsa, point to New and then click DWORD Value.

   4. Type DisableLoopbackCheck and then press ENTER.

   5. Right-click DisableLoopbackCheck and then click Modify.

   6. In the Value data box, type 1 and then click OK.

   7. Quit Registry Editor.

   **NOTE: You may need to restart your server!!