Microsoft Dynamics AX (Archived)

AX UI Client to AOS Server Kerberos Authentication

(0) Share

Report

Posted on by Brandon Wiese

17,788

I'm trying to get Kerberos authentication work between the AX client and the AOS in 2012 R3 CU 10 or so.

I found the following blog post that describes it.

https://blogs.msdn.microsoft.com/axsupport/2015/03/20/enhanced-security-with-kerberos-only-authentication-in-microsoft-dynamics-ax/

Implementing it would seem straightforward, i.e. just put authn_service 16 in the AOS registry key and authn_service,Text,16 in the configuration file, and indeed if you do both the client can connect to the server. But, I'm not seeing a cached ticket using KLIST TICKETS | FIND "2712" as expected (at least not reliably, sometimes but not always).

I'm stumped trying to figure out if the AX client is ACTUALLY using Kerberos authentication over RPC to the AOS or not. If anyone knows of a way to determine this for certain, I'd tremendously appreciate a push in the right direction.

I've already tried all 9 combinations of the authn_service settings (empty, 9, or 16 on the client and empty, 9, or 16 on the server), and what I've found is that ALL combinations work EXCEPT when the server's authn_service is 16 (Kerberos only) and the client's authn_service is missing or 9 (negotiate). I find that odd, in particular that the client could be set to authn_service of 16 (Kerberos only) and the server set to missing (NTLM only), and for reasons I cannot explain the client connects to the server anyway.

It appears from testing that authn_service missing and authn_service 9 behave identically for both server and client. This suggests to me, since I cannot see whether NTML or Kerberos is ACTUALLY being used, that negotiate prefers NTLM over Kerberos as implemented by AX. I've never seen a Microsoft product where NTLM was preferred over Kerberos when both were available. Most Microsoft documentation suggests moving away from NTLM and to Kerberos wherever possible, and not just for reasons for delegation.

After a while I landed on the idea that I could just configured the server's authn_service as 9 (negotiate) and the client's authn_service as 9 (negotiate) and I expect Kerberos to be used wherever the server (subject to SPN registration, which I do have working) and client both support it, but would fall back to NTLM otherwise, which is not ideal but a useful compromise in a production environment. I'm not convinced at all that 9 and 9 ever actually use Kerberos at all.

Finally, and probably worst of all, if you set the server's authn_service as 16 (Kerberos only), it becomes impossible to install the AX client with reference to that AOS. The installation wizard, for better or for worse, actually connects to the AOS using the information supplied, and since you CANNOT interject an authn_service of 16 during the installation process, the installer cannot possible connect to a server with authn_service at 16 (Kerberos only). Thus, negotiate would seem even more useful in that light.

What was Microsoft thinking? None of this appears to work as documented, and worse it doesn't appear to work in a way that can be made useful. Are we supposed to be unable to install the client software without reverting the AOS back to NTLM only, which of course requires an AOS restart? How does anyone actually use Kerberos between the AX client and AOS?

I can tell from SQL Server quite easily which connects are Kerberos and which are NTLM, i.e. select * from sys.dm_exec_connections, so I can know positively that Kerberos is working. What means do we have with AX to inspect what authentication was actually used for client connections?

*This post is locked for comments

I have the same question (0)

All responses (5)

Answers (1)

Verified answer

Brandon Wiese 17,788 on at

Like (0)

Report
I used the debugrpc(string) value on the client and server hoping to get more detailed information. All that we get is 3 identical 110 events in the application log indicating either Negotiate (when authn_services is missing or 9) or Kerberos (when authn_services is 16), and never NTLM specifically.

The blog post says.

authn_service(string-value) – configurable on both client and server – allowable values: 9, 16 　　　　　　　 9 = Negotiate, 　　　　　　　 16 = Kerberos 　　　　　　　 (default value is “Default” i.e. NTLM)

But the default value is not NTLM. It's Negotiate, which we should presume is Kerberos with a fallback to NTLM when necessary.

It also says.

By default we are using a Kerberos and NTLM mix. This stays unchanged if you don’t set any Registry Key.

This is, of course, confusing. What is a mix of Kerberos and NTLM? Does that mean fallback from Kerberos to NTLM? And if we set the registry key to 9 = Negotiate, isn't that also unchanged from the default, even thought the blog post says otherwise?

I still have not found a way to know for certain which authentication is being used between the UX client and AOS server.

Testing still reveals that setting the AOS to Kerberos only (authn_service 16) prevents installation of the client and .NET business connector, since the installation wizard cannot connect to the referenced instance and fails.

I've pretty much given up on this. I'm convinced I've wasted my time and the blog post is effectively worthless information.

Was this reply helpful? Yes No
Zionite 5 on at

Like (0)

Report

Hi there, I know this is over 2 years old but thought I should let you know I have the same issues and here is what I did to find which Authen is being used.

1. Download and install Wireshark on the client host.

2. Launch the Wireshark application and select the network interface e.g. Ethernet for wired LAN.

3. Start capturing

4. Launch the AX client

5. Stop capturing on Wireshark

6. Sort the Protocol column and look for DCERPC.

7. Once you select the packet expand the details for "Distributed Computing Environment / Remote Procedure Call (DCE/RPC) ..."

8. In the expanded section you will see another section for "Auth Info:"

If the client is using NTLM then NTLMSSP

For Negotiate SPNEGO

Did you get to resolve the issue below?

"Testing still reveals that setting the AOS to Kerberos only (authn_service 16) prevents installation of the client and .NET business connector, since the installation wizard cannot connect to the referenced instance and fails."

Was this reply helpful? Yes No
Suggested answer

Anup Shah MSFT on at

Like (0)

Report

I managed to get this working on kernel AX 2012 R3 CU13. For AX 2012 R2 ensure you are using kernel build 6.2.3000.2983 or higher.

Setup as follows:-

- All machines running Windows Server 2016, AX Client machine running Windows 10

- Minimum topology 4 separate machines: 1xDC, 1xAOS server, 1xSQL Server, 1xAX Client

- all service are running in the same domain

- the AOS and SQL services are running using a domain user account

- all connections use FQDN, so in AOS server configuration using FQDN of SQL server, In AX client configuration using FQDN of AOS server.

- The SPNs for AOS service and SQL Server service was created using the same FQDN's used above.
- To truly test Kerberos authentication ensure the AX client is running on a separate remote machine and not the AOS

(1) I created the following SPNs using the service accounts used by the service. Examples:

AOS:

setspn -S 29D16D8E-32D1-433B-B77F-987C2408CEA4/AOS1:2712 contoso\aossvc
setspn -S 29D16D8E-32D1-433B-B77F-987C2408CEA4/AOS1.contoso.com:2712 contoso\aossvc

SQL server:

SETSPN - S MSSQLSvc/SQL1:1433 contoso\sqlsvc

SETSPN -S MSSQLSvc/SQL1.CONTOSO.COM:1433 contoso\sqlsvc

(2) Added following registry keys:

AOS Server:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dynamics Server\6.0\<instance>\<current configuration>

Created a REG:SZ Key: authn_service

Value: 16

AX Client:

Under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Dynamics\6.0\Configuration\<current configuration>

Created a REG:SZ Key: authn_service

Value: 16

(NOTE: To run the AX client on the same machine as AOS you need to add the same AX client registry key else the app will fail to start. For the test use a remote AX client machine).

(3) Restarted SQL Service and AOS service

(4) Installed Wireshark on client machine as per notes above by Zionite.Started caturing, then started the AX client, and stop capturing as soon as AX started up.

(5) Sorted the trace by protocol. Click on any DSERPC frame, in the middle frame, expand the Auth Info. As you see below I am using Kerberos SSP:

Was this reply helpful? Yes No
Brandon Wiese 17,788 on at

Like (0)

Report

Excellent post! Extremely well documented.

Can you install the client with the AOS in authn 16 mode?

Was this reply helpful? Yes No
Suggested answer

Anup Shah MSFT on at

Like (0)

Report

Hello Brandon

Even I was curious about that. I set up a new machine, and I was able to install the AX client (AX 2012 R3 CU13). For the AOS server name I used an FQDN (not sure if this has any impact at this stage)

Of course as soon as I launch the client it will crash until I add the authn_service key in the registry or its axc file.

One thing I should also mention is that I have not applied any policies on the AOS server to restrict traffic to Kerberos only. Maybe that would have had an effect on the AX setup?

Also to add to my previous post, I can also verify if the AOS connections to SQL server use Kerberos authentication or not.

select client_net_address, local_net_address, auth_scheme from sys.dm_exec_connections

Sample output from my previous test:

10.0.0.11 = AOS server and 10.0.0.8 = SQL server

Was this reply helpful? Yes No