Share
Report
30Currently, our NAV server is 2-tier with the SQL database residing on the same server as the application/services. Now we're breaking it out to have the database be on a 3rd tier. We're first testing moving our DEV database to a DEV SQL server. But, so far we've been unable to make that happen due to issues with the web services and impersonation.
When we try to connect to the web services, we get the error: "The login failed when connecting to SQL Server DEVSQLSRV". When looking in the log on the SQL server's windows event log, it shows Anonymous authentication from the NAV server. In the same event, it shows "Package Name (NTLM only): NTLM V1". But, when testing with SQLCMD (see below), it connects with Kerberos from the NAV Server using the NAV server service.
The NAV RTC and Classic client seem to work fine. So it really seems like I'm missing some configuration with the web service. But, not sure exactly what.
Also, the web service works with Internet Explorer -- but nothing else -- and if I go to it with Internet Explorer first, then other browsers work until it times out. Obviously this won't work for services that rely on the web services.
The URL we're testing it with: navsrv.domain.local/.../Services
Below is our setup:
NAV Server Setup (NAVSRV):
- All of the NAV services run as a domain user "DOMAIN\navservice"
- The SPNs have been setup
- setspn -L DOMAIN\navservice
- NAVPROD/NAVSRV:7046
- NAVPROD/NAVSRV.DOMAIN.local:7046
- NAVDEV/NAVSRV:7046
- NAVDEV/NAVSRV.DOMAIN.local:7046
- HTTP/NAVSRV
- HTTP/NAVSRV.DOMAIN.local
- HTTP/NAVSRV:7047
- HTTP/NAVSRV.DOMAIN.local:7047
- Both NAV instances share same tcp port
- setspn -L DOMAIN\navservice
- Delegation has been enabled (unconstrained for now until setup is finalized)
- User has been allowed in local Windows Security Policy for "Impersonate a client after authentication" for "DOMAIN\navservice"
- I checked the http urlacl and confirmed it's set
- Reserved URL : http://+:7047/
User: DOMAIN\navservice
Listen: Yes
Delegate: Yes
SDDL: D:(A;;GA;;;S-1-5-21-###) - I tried setting it individually such as http://+://7047/NAVDEV/ but then the service wouldn't start throwing the error "HTTP could not register URL http://+:7047/NAVDEV/ ... because it conflicts with an existing registration on the machine". I did not try rebooting the server after changing this, just the services.
- Reserved URL : http://+:7047/
SQL Server Setup (DEVSQLSRV)
- SQL Service runs as domain user "DOMAIN\devsqlservice"
- The SPNs have been setup
- setspn -L DOMAIN\devsqlservice
- MSSQLSvc/DEVSQLSRV.DOMAIN.locol:1433
- MSSQLSvc/DEVSQLSRV.DOMAIN.local
- MSSQLSvc/DEVSQLSRV:1433
- MSSQLSvc/DEVSQLSRV
- Only one SQL instance
- setspn -L DOMAIN\devsqlservice
- Delegation has been enabled (unconstrained for now until setup is finalized)
- User has been allowed in local Windows Security Policy for "Impersonate a client after authentication" for "DOMAIN\devsqlservice"
- Testing with sqlcmd from NAVSRV to DEVSQLSRV returns a kerberos connection (run as DOMAIN\navservice)
- sqlcmd -S DEVSQLSRV -Q"select net_transport, client_net_address, auth_scheme from sys.dm_exec_connections where session_id=@@spid"
NAV Database
- DOMAIN\navservice user is dbowner on NAV database
- Can connect just fine with RTC & Classic
What are we missing?
All responses (
Answers (
