I am having a strange issue with the NAV 2018 Web Client. It's working fine for a couple of days and then I always get this error in the event log of the web server:
This is what the user sees in the browser:
It looks like delegation stops working at a certain moment in time.
I am running multiple versions / builds of the web client on the same IIS. Maybe that's the cause?
I have enabled delegation for the machine account on which the IIS runs:
Does anyone have an idea?
Thanks in advance
Having exactly the same problem.
Does it work if you use the IP address?
We have seen a similar problem when kerberos delegation to access SQL Server (although not in a NAV context)
In our case the problems always starts 10 hours after the first successful request.
10 hours is the default kerboros ticket validity period on Windows.
It seems that the ability to automatically renew tickets that are within the renew periods somehow was removed by the March 12 security updates for windows.
I had the issue again yesterday. I reviewed all delegation-related settings and I found out that the SPN for my NAV service/account/port was no longer present. So this could be the reason. There are several NAV services (different versions, different builds) on my NAV server and they are all using the same account. I will now create a separate NAV account for the NAV service on which the web client is linked. I hope that's the solution, but time will tell ;-).
Anyway, thanks for the suggestions.
How you manage to run multiple cersions / builds of the web client on the same IIS ?
I didnt get it...
mostly this is because you are using port sharing and in this case, if you stop one service, it will remove the SPNs, and because your services have same server name, port and user, it will have effect on other running services until you start/restart one from them again (to create the SPNs again). This is why reason to not using port sharing on production environments. Using just different account will lead to duplicate SPNs (same service, different account), which will not work for Kerberos, which needs unique combination of Service and Account. Service is defined as servername AND port.
Many thanks for your valuable reply. It makes sense. I'll try it right away.
Business Applications communities