Personalized Community is here!
Quickly customize your community to find the content you seek.
Choose your path Increase your proficiency with the Dynamics 365 applications that you already use and learn more about the apps that interest you. Up your game with a learning path tailored to today's Dynamics 365 masterminds and designed to prepare you for industry-recognized Microsoft certifications.
Visit Microsoft Learn
2023 Release Wave 1Check out the latest updates and new features of Dynamics 365 released from April 2023 through September 2023
The FastTrack program is designed to help you accelerate your Dynamics 365 deployment with confidence.
FastTrack Community | FastTrack Program | Finance and Operations TechTalks | Customer Engagement TechTalks | All TechTalks
Currently, our NAV server is 2-tier with the SQL database residing on the same server as the application/services. Now we're breaking it out to have the database be on a 3rd tier. We're first testing moving our DEV database to a DEV SQL server. But, so far we've been unable to make that happen due to issues with the web services and impersonation.
When we try to connect to the web services, we get the error: "The login failed when connecting to SQL Server DEVSQLSRV". When looking in the log on the SQL server's windows event log, it shows Anonymous authentication from the NAV server. In the same event, it shows "Package Name (NTLM only): NTLM V1". But, when testing with SQLCMD (see below), it connects with Kerberos from the NAV Server using the NAV server service.
The NAV RTC and Classic client seem to work fine. So it really seems like I'm missing some configuration with the web service. But, not sure exactly what.
Also, the web service works with Internet Explorer -- but nothing else -- and if I go to it with Internet Explorer first, then other browsers work until it times out. Obviously this won't work for services that rely on the web services.
The URL we're testing it with: navsrv.domain.local/.../Services
Below is our setup:
NAV Server Setup (NAVSRV):
SQL Server Setup (DEVSQLSRV)
What are we missing?
The Service user which is running the NAV Web Services Service need to have the permissions. Is the NAV Web Service is using the same navservice account ?
Yes, all NAV services are running under the same domain user.
In NAV 2009 there will be a seperate service for the web services is that running under the same user ?
Yes, the services all running under "DOMAIN\navservice" are:
when you are getting that error, while accesing the service from IE or from application ? check if the webservices SSL is set to false and NTLM are enabled in CustomSetting.config fiel
We do not get the error while accessing it from IE, but we do with Chrome and other applications. As I mentioned before, for testing -- if we access the web service with IE, it works for Chrome for around 15-30 minutes then stops working again until we access it with IE again.
SSL is set to false and so is "WebServicesUseNTLMAuthentication"
Did you add the url to the trusted website under chrome and then access it. ?
Yes, Chrome uses IE/Window's Internet Options and I added it there, but it did not work.
Check this link and reply from Gaspode
Yes, as I mentioned in my initial post, the HTTP/Server SPNs are registered to the DOMAIN\navservice account. Also, Internet Explorer works already -- it's just Chrome and .NET services/programs that fail.
I am seeing this after enabling Kerberos logging:
A Kerberos Error Message was received: on logon session Client Time: Server Time: 17:6:42.0000 2/2/2018 Z Error Code: 0xd KDC_ERR_BADOPTION Extended Error: 0xc00000bb KLIN(0) Client Realm: Client Name: Server Realm: DOMAIN.local Server Name: navservice@DOMAIN.local Target Name: navservice@DOMAIN.local@DOMAIN.local Error Text: File: 9 Line: eff Error Data is in record data.
I'm wondering if it's reason #4 under KDC_ERR_BADOPTION from here:
But, the navservice account is not limited to constrained delegation.
Looking at procxp and tcpview, I don't see any connections back to itself.
Looking at packet capture, Kerberos Realm is "Null" when using Chrome and when using IE, it shows TGS Request with my username, etc. Totally different kerberos behavior.
The issue was the unconstrained delegation. It has to be constrained. Once I defined the services with "Trust this computer for delegation to specified services only", "Use Kerberos Only" and specified the services, it all worked.
Business Applications communities