web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Small and medium business | Business Central, N... / You cannot sign in due...
Small and medium business | Business Central, N...
Suggested Answer

You cannot sign in due to a technical issue. Contact your system administrator.

(0) ShareShare
ReportReport
Posted on by Namwiro 5

The above error started when our Server Certificate expired. After renewing, the error kept being constant. We have been able to updte the Client USer Settings config file with the DNS Identity on the Server Certificate and this resolved the Desktop Client. However, when it come to the Web, this error keeps popping. No one can be able to sign in. 

pastedimage1585724336708v1.png

I have the same question (0)
  • Suggested answer
    gert@lynge.org Profile Picture
    gert@lynge.org on at

    Hi Namwiro,

    Did you update "DnsIdentity" in navsettings.json or web.config (the name depends on your exact NAV version).

    It is probably located in C:\inetpub\wwwroot\<web instance>

    Otherwise look to see if there is a more descriptive error in the windows event log on the server.

  • Namwiro Profile Picture
    Namwiro 5 on at

    Hey Gert,

    I sure did on the Desktop client it works just fine. Updated also on the webconfig file but the error pops I Have no idea if there is any other location or file I need to update the same. Should I also update on the instanceweb.config file?

    Best,

    Namwiro

  • Suggested answer
    gert@lynge.org Profile Picture
    gert@lynge.org on at

    You should also check the certificate bindings in the Internet Informations Server manager (right click on the web client and select bindings).

    Also restart IIS.

    Note: If you use webservices and they also does not work after this, try to disable them, disable SSL - restart the service and enable them and SSL again...

    But please check the windows event log for messages relating to this after getting the above mentioned error.

  • Namwiro Profile Picture
    Namwiro 5 on at
    [quote user="Gert Lynge"]

    You should also check the certificate bindings in the Internet Informations Server manager (right click on the web client and select bindings).

    Also restart IIS.

    Note: If you use webservices and they also does not work after this, try to disable them, disable SSL - restart the service and enable them and SSL again...

    But please check the windows event log for messages relating to this after getting the above mentioned error.

    [/quote]

    This is the error I am currently getting from the IIS Manager relating to the Nav Error above. 

    pastedimage1585768766241v2.png

    Thanks

  • Suggested answer
    gert@lynge.org Profile Picture
    gert@lynge.org on at

    Hi,

    I'm not sure what that error is / what you have tried testing - I've never seen errors like that in the IIS manager.

    What I'm asking for is: windows event log messages relating to the above mentioned error.

  • Namwiro Profile Picture
    Namwiro 5 on at

    Hi Gert, 

    See below the event log. Please help

    Error accessing Website Microsoft Dynamics NAV 2017 Web Client
    Raw Url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Url: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    Type: Microsoft.Dynamics.Nav.Types.NavSecurityNegotiationException
    Message: The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://localhost:7246/nav100_staging/Service". SPN Identity: "DynamicsNAV/localhost:7246"
    The X.509 certificate CN=*.xxxxxxxxxxxxxxxxxxxxxxx is not in the trusted people store. The X.509 certificate CN=*.xxxxxxxxxxxxxxxxxxx chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.


    StackTrace:
    at Microsoft.Dynamics.Nav.Client.ConnectionEstablisher.OpenConnection[TChannel](ConnectFailedEventArgs connectFailedArgs, ConnectionRequest connectionRequest, ConnectionOptions connectionOptions, SpnSetting spnSettingToTry, Boolean allowSpnSettingsSwap, UserSettings& userSettings)
    at Microsoft.Dynamics.Nav.Client.ConnectionEstablisher.OpenConnection[TChannel](ConnectionRequest connectionRequest, ConnectionOptions connectionOptions, UserSettings& userSettings)
    at Microsoft.Dynamics.Nav.Client.Web.SimpleServerOperation.SimpleServerOperationConnectionEstablisher.OpenConnection[TChannel](ConnectionRequest connectionRequest, ConnectionOptions connectionOptions, UserSettings& userSettings)
    at Microsoft.Dynamics.Nav.Client.Web.SimpleServerOperation.ExecuteCore[TResult,TChannel](ConnectionOptions serverConnectionOptions, Func`2 operation, Func`3 operationWithContext, Func`2 localExceptionHandler)
    Source: Microsoft.Dynamics.Nav.Client.ServiceConnection----------------------------------
    Type: System.ServiceModel.Security.SecurityNegotiationException
    Message: The X.509 certificate CN=*.xxxxxxxxxxxxxxx is not in the trusted people store. The X.509 certificate CN=*.xxxxxxxxxxxxxxxxxxxxxxxx chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

    StackTrace:

    Server stack trace:
    at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
    at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
    at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
    at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
    at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
    at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
    at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

    Exception rethrown at [0]:
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
    at System.ServiceModel.ICommunicationObject.Open(TimeSpan timeout)
    at System.ServiceModel.Channels.SecurityChannelFactory`1.ClientSecurityChannel`1.OnOpen(TimeSpan timeout)
    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
    at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
    at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
    at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
    at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
    at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryGetChannel()
    at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.SyncWaiter.TryWait(TChannel& channel)
    at System.ServiceModel.Channels.ReliableChannelBinder`1.ChannelSynchronizer.TryGetChannel(Boolean canGetChannel, Boolean canCauseFault, TimeSpan timeout, MaskingMode maskingMode, TChannel& channel)
    at System.ServiceModel.Channels.ReliableChannelBinder`1.Send(Message message, TimeSpan timeout, MaskingMode maskingMode)
    at System.ServiceModel.Channels.SendReceiveReliableRequestor.OnRequest(Message request, TimeSpan timeout, Boolean last)
    at System.ServiceModel.Channels.ReliableRequestor.Request(TimeSpan timeout)
    at System.ServiceModel.Channels.ClientReliableSession.Open(TimeSpan timeout)
    at System.ServiceModel.Channels.ClientReliableDuplexSessionChannel.OnOpen(TimeSpan timeout)
    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
    at Microsoft.Dynamics.Nav.Types.Channels.ChunkingDuplexSessionChannel.OnOpen(TimeSpan timeout)
    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
    at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
    at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)

    Exception rethrown at [1]:
    at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
    at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
    at System.ServiceModel.ICommunicationObject.Open()
    at Microsoft.Dynamics.Nav.Client.ConnectionEstablisher.CallOpenConnection(IAsyncNavService server, ConnectionRequest connectionRequest)
    at Microsoft.Dynamics.Nav.Client.ConnectionEstablisher.OpenConnection[TChannel](ConnectFailedEventArgs connectFailedArgs, ConnectionRequest connectionRequest, ConnectionOptions connectionOptions, SpnSetting spnSettingToTry, Boolean allowSpnSettingsSwap, UserSettings& userSettings)
    Source: mscorlib----------------------------------
    Type: System.IdentityModel.Tokens.SecurityTokenValidationException
    Message: The X.509 certificate CN=*.xxxxxxxxxxxxxxxxxxxx is not in the trusted people store. The X.509 certificate CN=*.xxxxxxxxxxxxxxxxxxxxx chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.

    StackTrace:
    at System.IdentityModel.Selectors.X509CertificateValidator.PeerOrChainTrustValidator.Validate(X509Certificate2 certificate)
    at System.IdentityModel.Selectors.X509SecurityTokenAuthenticator.ValidateTokenCore(SecurityToken token)
    at System.IdentityModel.Selectors.SecurityTokenAuthenticator.ValidateToken(SecurityToken token)
    at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.ValidateRemoteCertificate(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
    at System.Net.Security.SecureChannel.VerifyRemoteCertificate(RemoteCertValidationCallback remoteCertValidationCallback, ProtocolToken& alertToken)
    at System.Net.Security.SslState.CompleteHandshake(ProtocolToken& alertToken)
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
    at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
    at System.ServiceModel.Channels.SslStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
    Source: System.IdentityModel

  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at

    Hello,

    This is the error:

    The X.509 certificate CN=*.xxxxxxxxxxxxxxx is not in the trusted people store.

    Th new certificate should be copied to the Trusted People Store on the service tier machine.

    pastedimage1585889035786v1.png

    Hope it does help.

  • Namwiro Profile Picture
    Namwiro 5 on at

    Hey Marco Mels,

    I copied the certificate to the Trusted People Store and still could not get the webclient to work but I don't know if we are meant to install it too into that folder or copying only works. What services should I restart once I have copied the Certificate?

    Many thanks,

    Namwiro

  • Suggested answer
    Marco Mels Profile Picture
    Marco Mels on at

    Hello,

    Yes, the service tier must be restarted and you must perform an IISRESET on the IIS server. Note that the bindings in IIS must also be updated to point to the new cert.

    Thanks.

  • Suggested answer
    gert@lynge.org Profile Picture
    gert@lynge.org on at

    Hi Namwiro,

    Putting the certificate in the trusted people store might work, but is actually a workaround for the issue. This is the "correct" solution (verified by Microsoft support and with input from https://freddysblog.com/ :-) ): 

    1. Go to IIS

    2. Open the Application Pools

    3. Open the Microsoft Dynamics NAV xxxx Web Client Application Pool

    4. Open Advanced Settings (in the menu to the right)

    5. Locate the Process Model / Load User Profile setting and set it to False

    This solution is also used by the included powershell scripts (if i remember it correctly there are some on the install media) for adding web-instances (note the powershell cmdlet Add-NAVWebInstance does NOT set this correctly - you should do this manually afterwards).

    I've actually blogged about this back in november 2016 (unfortunately in Danish, but maybe you can google translate it :-) ), here: https://scblog.lynge.org/?p=1075

    I suggest you fix this "the official way" as it might cause other issues than the one you experienced.

    Btw: And yes, you should restart IIS after removing the certificate from the trusted people store and changing this setting :-)

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > Small and medium business | Business Central, NAV, RMS

#1
OussamaSabbouh Profile Picture

OussamaSabbouh 3,151

#2
Jainam M. Kothari Profile Picture

Jainam M. Kothari 1,443 Super User 2025 Season 2

#3
YUN ZHU Profile Picture

YUN ZHU 1,092 Super User 2025 Season 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans