Small and medium business | Business Central, N...

Kerberos Webservices NAV 2009 R2

(0) Share

Report

Posted on by Community Member

Hi folks, I have a Kerberos or delegation issue with Dynamics NAV 2009 R2 web service. I hope you guys can help me.

It is a somewhat unusual 2-tier model. The servertier runs with the same credentials as the webservice. Both share a process on the same computer. Portsharing is enabled. The NAS runs on port 7046, the WS on 7047. Both services logically run with the same service account. So far, so good.

The corresponding DB server is a 2014 always-on cluster with 2 nodes and one cluster resource. Here I have a different service account.

The SPN for 7046 and 7047 point to the APP and the WS-Server with the same service account.

The different service account of the DB cluster is bound to all 3 resources (cluster head, node1 and node 2) with port 1433 on all providers.

The problem I have. If I call the webservice by IP, hostname or FQDN on the application server itself respectively webserver itself with for example nserver:4047/.../Services, I get the expected response. The same is true for a call directly on the DB resources.

But if I now execute the same call on a workstation outside the APP server to DB server delegation, I get the message that the DB server cannot acknowledge the authentication. The call fails.

But if I first let the user authenticate on the APP server itself and then repeat the call on his own workstation, it works. The generated security token is inherited in some way.

If I look at the event log of the NAS, I see calls that have not been deliberately initiated manually on the NAS, transfers to the DB service with empty Kerberos credentials or service principal names, which the DB service rejects.

If I let the user authenticate on the app server (NAS+WS) beforehand and then call the web service on his own workstation, the app server passes the Kerberos credentials as "known" to the DB service and the authentication succeeds.

My finding is, the delegation from NAS and web service to DB service work. This is also shown by the RTC, which has no problems at all. However, the credentials from the web service on 7047 are not being passed correctly to the NAS on 7046. As a result, the subsequent Kerberos packet sent to the DB service for authentication is empty in the principal name section. This in turn leads to rejection because the DB service cannot process the empty SPN.

What do you think should be done? How do I get the web service to pass the SPN to the NAS so it can authenticate with it to the DB service?

Thanks in advance for your help!

Cheers Ingo

I have the same question (0)

All responses (5)

Answers (0)

THE Italian on at

Like (0)

Report

NAV 2009 R2 is out of mainstream support since 2015 and also mainstream ended in 2020.

I would better move out from this pretty outdated environment.

Since NAV 2013 onwards there is no need anymore to setup delegation and this exotic scenario might take great benefit from this (also SQL 2014 is pretty outdated, tough).

Was this reply helpful? Yes No
Suggested answer

s.weikelt 5 on at

Like (1)

Report

captain here

www.msdynamics.de/viewtopic.php

-> Solution here

help.sana-commerce.com/.../nav-2009-threetier-environment

#HeroOfTheWeek

PS:

i always say - update the environment...but you know (or don't) the customers is not always able to do an upgrade or the system is just running perfect OR the $$$$$$ is just to high ;)

*fliesAway*

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Using netmon, I found that the client first gets a valid ticket from KDC1 (domain controller 1). Then the NST asks KDC2 (domain controller 2) and gets a Kerberos response with badoption 0xc.

In my opinion this indicates a missing SPN or a wrong configuration. Whether the SQL AlwaysOn Cluster influences the behavior I could not find out yet.

Does anyone have any ideas?

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thanks for the weblinks.

The first of these is my own post ... and we both have had the pleasure there ;)

But unfortunately the constrained delegation did not show the expected success.

After delegation, as described in your 2nd link sana-commerce, I can access the web service, but all other net-resources, such as various net shares, no longer work. In this case I get a Kerberos error for all other Kerberos resources with badoption for example cifs or similar.

Currently I can either turn on delegation as described in sana-commerce and get access to the webservice or turn it off and can use the net resources but not the webservice.

Unfortunately both together do not work yet.

Thanks again for your help!

Was this reply helpful? Yes No
Community Member on at

Like (0)

Report

Thank you. We will make the change in the near future. However, at the moment it is not an option.

Was this reply helpful? Yes No