You’re offline. This is a read only version of the page.
Announcements
Currently, our NAV server is 2-tier with the SQL database residing on the same server as the application/services. Now we're breaking it out to have the database be on a 3rd tier. We're first testing moving our DEV database to a DEV SQL server. But, so far we've been unable to make that happen due to issues with the web services and impersonation.
When we try to connect to the web services, we get the error: "The login failed when connecting to SQL Server DEVSQLSRV". When looking in the log on the SQL server's windows event log, it shows Anonymous authentication from the NAV server. In the same event, it shows "Package Name (NTLM only): NTLM V1". But, when testing with SQLCMD (see below), it connects with Kerberos from the NAV Server using the NAV server service.
The NAV RTC and Classic client seem to work fine. So it really seems like I'm missing some configuration with the web service. But, not sure exactly what.
Also, the web service works with Internet Explorer -- but nothing else -- and if I go to it with Internet Explorer first, then other browsers work until it times out. Obviously this won't work for services that rely on the web services.
The URL we're testing it with: navsrv.domain.local/.../Services
Below is our setup:
NAV Server Setup (NAVSRV):
SQL Server Setup (DEVSQLSRV)
NAV Database
What are we missing?
*This post is locked for comments
The issue was the unconstrained delegation. It has to be constrained. Once I defined the services with "Trust this computer for delegation to specified services only", "Use Kerberos Only" and specified the services, it all worked.
Looking at packet capture, Kerberos Realm is "Null" when using Chrome and when using IE, it shows TGS Request with my username, etc. Totally different kerberos behavior.
I am seeing this after enabling Kerberos logging:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 17:6:42.0000 2/2/2018 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN.local
Server Name: navservice@DOMAIN.local
Target Name: navservice@DOMAIN.local@DOMAIN.local
Error Text:
File: 9
Line: eff
Error Data is in record data.
I'm wondering if it's reason #4 under KDC_ERR_BADOPTION from here:
blogs.technet.microsoft.com/.../kerberos-errors-in-network-captures
But, the navservice account is not limited to constrained delegation.
Yes, as I mentioned in my initial post, the HTTP/Server SPNs are registered to the DOMAIN\navservice account. Also, Internet Explorer works already -- it's just Chrome and .NET services/programs that fail.
Check this link and reply from Gaspode
Did you add the url to the trusted website under chrome and then access it. ?
We do not get the error while accessing it from IE, but we do with Chrome and other applications. As I mentioned before, for testing -- if we access the web service with IE, it works for Chrome for around 15-30 minutes then stops working again until we access it with IE again.
SSL is set to false and so is "WebServicesUseNTLMAuthentication"
when you are getting that error, while accesing the service from IE or from application ? check if the webservices SSL is set to false and NTLM are enabled in CustomSetting.config fiel
#1
André Arnaud de Cal...
293,399
Super User 2025 Season 1
#2
Martin Dráb
232,548
Most Valuable Professional
#3
nmaenpaa
101,158
Moderator
Share
Report
All responses (
Answers (