RS First Dynamics NAV Blog

...from NAV 3.60 to NAV 2013
Archivio Posts
Anno 2015

Anno 2014

Anno 2013

Anno 2012

Anno 2011

Anno 2010

Anno 2009

Anno 2008

Anno 2007

Dynamics NAV 2009 and additional SPNs

Dynamics NAV 2009 and additional SPNs

> Are any additional SPNs required for additional webservice instances, running under the same account, on the same server? (Assume port sharing, if this matters.)

 No, Because SPN uniqueness is defined by protocol name, address (and sometime port) and account, you do not need new SPN if all this is same.

Chain of trust

If you need to be able to pass Kerberos authentication between services, you need to create the chain correctly. Every service in the chain must have correct SPN registered with correct account. Than you need to set some additional properties of the domain account which will pass the authentication to other services. In case of NAV it means that you need to allow the account, under which the NAV server is running, to pass the authentication to the SQL server. But I think that this is the easiest step. You need to open properties of the account through mmc snap-in console “Active Directory Users and Computers”. You can find the new tab “Delegation” on which you need to set to which services could this specific account delegate the authentication. You can set it to “all services” or only for specific one. But because this is easy to set (you just select specific server and pick the correct service from list of all available services registered on specific server) I will not go deeper into this. But do not skip this step, else it will not work…


> Dynamics NAV server instance name TESTNAV on server NAVSERVER.contoso.local under “Network service” (incl. webservices)

> SQL Server running on SQLSERVER.contoso.local under “contoso\SQLServer” account.

> We are using both naming conventions to connect to the servers, FQDN and NetBios names.

Needed SPNs for NAV Server:

setspn –A TESTNAV/NAVSERVER.contoso.local:7046 contoso\navserver$

setspn –A TESTNAV/NAVSERVER:7046 contoso\navserver$

SPNs for NAV WebService:

setspn –A HTTP/NAVSERVER.contoso.local contoso\navserver$

setspn –A HTTP/NAVSERVER contoso\navserver$

SPN for SQL:

setspn –A MSSQLSvc/SQLSERVER.contoso.local:1433 contoso\SQLServer

setspn –A MSSQLSvc/SQLSERVER:1433 contoso\SQLServer

Delegation settings:

On “contoso\navserver$” account must have enabled “Trust this computer for delegation to any service (Kerberos only)” or “Trust this computer for delegation to specified services only.” and the MSSQLSvc service on SQLServer must be selected as trusted service.

 by Kine Blog

sabato, 12 gen 2013 Ore. 22.50

Messaggi collegati

  • Views Home Page: 455.391
  • Views Posts: 870.106
  • Views Gallerie: 0
  • n° Posts: 343
  • n° Commenti: 0
Copyright © 2002-2007 - Blogs 2.0 | Home Page Blogs
ASP.NET 2.0 Windows 2003