Hi All,
I'm hoping to find some answers from someone who has done a successful 3-Tier NAV configuration where the NAV Web Server (Public Facing), NAV Server(Mid-Tier) and NAV SQL(Data-Tier) are installed on 3 separate machines. Please note I am running NAV 2016 on Server 2012 R2.
For reference they'll be referred to as:
NAVWEB
NAVSERVER
NAVSQL
For the record, I followed the following article:
https://docs.microsoft.com/en-us/dynamics-nav/walkthrough--installing-the-microsoft-dynamics-nav-web-server-components-on-three-computers
Everything went smooth until the last phase of the Webserver and particularly securing communications between NAVWEB & NAVSERVER via SSL certificate.
Where I am now:
If I disable all SSL communications and remove the Certificate Thumbprint from NAVSERVER in the configuration, everything works as expected using Windows Authentication in a Active Directory domain environment. I open the url NAVWEB:8080/.../ and I'm in and can see my companies / NAV. Great.
Where I want to be:
NAV Publicly accessible via e.g. nav.companyname.com secured with SSL so that the url in the browser will read https://nav.companyname.com/Instance/WebClient and users are prompted to log in every time they visit the site, unless they choose to remember credentials in the browser.
The Issue:
I update NAVSERVER configuration to use SSL by changing the authentication type to UserName(Apparently this is a required step for using SSL) and entering the certificate thumbprint. I enable SSL under SOAP.
I imported the SSL certificate from a trusted third-party onto both NAVWEB and NAVSERVER and enabled full access to the NAV Service Account.
The NAV Service account has the correct permissions to register SPN's in Active Directory. These are registered successfully when monitoring the Event Log and when running setspn -L domain\service account.
The NAVWEB server is granted permission in AD to register SPN's using NAV Service Account for HOST/NAVSERVER and HOST/NAVSERVER.domain as well as the DynamicsNAV Services as per official Microsoft Documentation on configuring a NAV Service Account.
I update the NAVWEB server configs to use UserName authentication in the web.config file as per documentation.
The SSL Certificate is set for Server and Client auth on both NAVWEB and NAVSERVER
Everything is pretty much done by the book and the event logs show no errors.
The Results:
When I enter NAVWEB/.../WebClient or localhost/.../WebClient I am prompted with a NAV login screen after ignoring the error about the SSL cert not matching the SubjectName. I use a wildcard *.companyname.com on both NAVWEB & NAVSERVER. I get an error that the user is not permitted to log into NAV or no NAV account has been set up. Yet the account is in NAV and works without SSL.
I've tried both username & password and domain\username and password with the same results.
Furthermore, when I enabled http redirect and configure the hostname in the binding in IIS to nav.company.com, I get a Windows popup login screen before even hitting the NAV login page. I've been able to get past this by allowing anonymous authentication in IIS. But then when I log in to NAV I get a Service error that states "A server error occurred and the content cannot be displayed".
I know I'm close I think its just something stupid that I'm missing. Any ideas / help will be appreciated.
Thanks in advance!
Edit: I ran a WireShark trace on both NAVWEB and NAVSERVER and I get a lot of red lines where after drilling into the error it seems like a "Connection Reset" error. I am however not a pro with Wireshark so don't know if this means anything to anyone.
