web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / ax2012R2 - IIS on diff...
Microsoft Dynamics AX (Archived)

ax2012R2 - IIS on different host from AOS – target principal name is incorrect

(0) ShareShare
ReportReport
Posted on by Eric Ledoux 135

Hi,

I have this situation :

Domain : OurDomain

AOS : AOSHost

IIS : IISHost

The AOS is running on AOSHost under the account "OurDomain\AOSAccount"

The Business connector account under which the MicrosoftDynamicsAXAif60 application pool is running is "OurDomain\BusConnAccount"

I installed the "Web Services on IIS" and the ".NET Business Connector" components on IISHost. Actually I tried two scenarios, with the same result: only the "Web Services on IIS" component, or both the "Web Services on IIS" and the ".NET Business Connector" components. During install I gave the "OurDomain\BusConnAccount" when the wizard asked, and also gave the "OurDomain\AOSAccount" name (but no password for this one, the wizard doesn’t ask). This host represents a IIS machine in a DMZ, although I have no firewalls yet. I’m taking it one step at a time.

By enabling anonymous authentication on my test inbound port and in my IIS web site, my test C# program is able to retrieve the service references from the IIS Host. But then, when my test program tries to actually hit the web service, AX throws a "A call to SSPI failed, see Inner Exception" error. Further digging shows that the inner exception is "Target principal name is incorrect".

In the IISHost Event viewer I see "The kerberos client received a KRB_AP_ERR_MODIFIED error from the server. The target name used was host/aoshost. This indicates…".

So I tried setspn.exe commands

setspn –s http/iishost ourdomain\aosaccount

setspn –s http/iishost.ourdomain ourdomain\aosaccount

setspn –s host/aoshost ourdomain\aosaccount

setspn –s host/aoshost.ourdomain ourdomain\aosaccount

For a while this fixed the problem. I mean I could hit the web services hosted on IISHost, and it was the information from the AOS on AOSHost. Everything was good until my AOS service wouldn’t start anymore. I got a 1069 error, "The service did not start due to a logon failure". I tried to reboot the AOSHost, and after reboot couldn’t logon to it with any domain account anymore. "The Security database on the server does not have a computer account for this workstation trust relationship." Removed the above setspn commands, and could logon the AOSHost just fine afterwards.

Now I’m back to the "Target principal name is incorrect" error.

What I’m trying to do is simple : get the IIS running on a remote host. Can anyone help me please?

*This post is locked for comments

I have the same question (0)
  • Brian Kinser Profile Picture
    Brian Kinser 815 on at

    I have the exact same issue, from the AOS server i can add the AIF website no problem, it appears to only check for shared folders anyway. The AIF web services get deployed to the IIS Host no problem, all the settings that were configured in the inbound port are there. The wsdl responds but when you try to execute the client call i get the dreaded "A call to SSPI failed, see Inner Exception"...which, if you debug it, the inner exception is null anyway. Exact same error in the event log though....The error is a bit confusing as it lists my 'server' = aos service account.

    -------------------------------------------------------------------------------------------------------------------------------------------------

    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server "AOS_SERVICE_ACCOUNT". The target name used was host/AOS_SERVER. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (DOMAIN) is different from the client domain (DOMAIN), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

    ------------------------------------------------------------------------------------------------------------------------------

    i have enabled tracing on the web services but its not much help either

  • Suggested answer
    Eric Ledoux Profile Picture
    Eric Ledoux 135 on at

    Hi Brian,

    Microsoft just finished working on a kernel patch for this issue. My guess is that it will be available publicly in the next CUx.

    There is a workaround, and I'm using that right now:

    Change the web.config on the IIS server to use the IP instead of the hostname. That will skip the Kerberos authentication, and therefore the Target Principal Name error will not happen.

    Ex change:

         <endpoint address="net.tcp://dax2012:8201/dynamicsax/services/MetadataService"

           behaviorConfiguration="clientEndpointBehavior" binding="netTcpBinding"

           bindingConfiguration="DefaultServiceGroupBinding" contract="Microsoft.Dynamics.AX.Framework.Services.Metadata.Service.IAxMetadataService"

           name="MetaDataService">

    to:

         <endpoint address="net.tcp://10.10.90.22:8201/dynamicsax/services/MetadataService"

           behaviorConfiguration="clientEndpointBehavior" binding="netTcpBinding"

           bindingConfiguration="DefaultServiceGroupBinding" contract="Microsoft.Dynamics.AX.Framework.Services.Metadata.Service.IAxMetadataService"

           name="MetaDataService">

    There are other workarounds possible, but they were not possible for me in a production environment:

    - Run the AOS on the same machine as the IIS machine

    - Run the AOS under the Network Service account should also fix the problem

    Thanks to Brett Christiansen from Microsoft for providing me with these workarounds.

  • Brian Kinser Profile Picture
    Brian Kinser 815 on at

    Thanks Eric....(and Brett Christiansen from Microsoft) i found this out the hard way on this one....appears to be a Active Directory issue with DNS not resolving ambiguos domain/accounts.....changed to IP instead of machine name and it worked....wow!!! Hope i never need full authentication from outside and actually HAVE to use kerberos...yikes....in my case this is a public HR job listings site.

    I am on CU4 so no fix was in that one....maybe R2....also, i had tried this with wsHttpBinding as i thought it was a SPN/UPN kerberso issue (which i guess at that point it was) but changing netTcpBinding to IP did nothing....

    In order to access AX 2012 AIF services from OUTSIDE the domain, these services need to be hosted on IIS.

    1.Create a web server machine (install roles and features) and install AX 2012 components (i only installed web services, not business connector)

    2.Now go to AOS machine and configure your AIF web site to point to that new web server (ip address suggested here as well),

    3. go to your AIF inbound port and de-activate, then adjust the configuration and web site, then activate.....

    But final step is that you must visit the IIS host where the AOS deployed (activated?) that web service and manually edit the web.config (or you could change that configuration in the inbound AIF port i guess so it is a simpler deployment) so that net tcp uses IP.......

    Working great now!!

    Good to close this question out.

  • Community Member Profile Picture
    Community Member on at

    I got same error. But solution of Eric is working great.Thank you Eric..

  • Sohaib Khan Profile Picture
    Sohaib Khan 15 on at

    Hi Eric, I'm on AX 2012 R2 and facing the same issue with my installation where I have AOS and IIS on different machines. Do you know the KB# of the kernel patch that Microsoft released to fix this issue?

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#1
Priya_K Profile Picture

Priya_K 4

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans