Much like the setup of the RTC/NAV Server connection in NAV 2009. NAV 2009 Web Services needs to have a SPN added to properly authentic the users accessing it.
Consider the following scenario in Microsoft Dynamics NAV 2009. You have just completed the “Installing the Three Tiers on Three Computers” walkthrough. The NAV Role Tailored Client (RTC) is working. You have started the Microsoft Dynamics NAV Business Web Services service. When you attempt to view a Web Service URL in a web browser from a client machine you receive a login prompt. If you try to login, you are prompted three times before the process is stopped. An example of possible Web Service URLs is:
Note xxx is the server name of the Service Tier. This also assumes that you are using the default port (7047) and default service name (DynamicsNAV).
This problem occurs because a Service Principal Name (SPN) has not been added to the domain user account running the Microsoft Dynamics NAV Business Web Services service for the HTTP service, which is the normal service name used by web services.
In order to eliminate the login prompts and allow authorized users to view the Web Services URL, you need to add the following SPNs to the domain user account running the Microsoft Dynamics NAV Business Services service.
Now, I’m sure you all know if you use the ADSI Edit snap-in, or another utility such as the LDP or LDAP 3 utilities to incorrectly modify attributes to AD objects you could seriously mess up the AD, so be careful. Also, you need to be a domain admin to make the following changes.
To add the SPNs from a domain server, follow these steps:
- Click Start, click Run, type Adsiedit.msc, and then click OK.
Note The ADSIEdit tool is included in the Windows Server 2003 Support Tools. If you are using Windows Server 2008 the ADSIEdit tool will already be installed. To obtain the Windows Server 2003 Support Tools, visit the following Microsoft Web site: http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en
- In the ADSI Edit snap-in, expand Domain [DomainName], expand DC= RootDomainName, expand CN=Users, right-click CN= AccountName , and then click Properties. If you are on a server running Windows Server 2008, you may need to first connect and bind to an instance.
DomainName is a placeholder for the name of the domain.
RootDomainName is a placeholder for the name of the root domain.
AccountName is a placeholder for the account that you specify to start the NAV Server service.
If you specify a domain user account to start the NAV Server service, AccountName is a placeholder for the domain user account.
- In the Properties dialog window locate the servicePrincipalName attribute and double click it to open the Editor Dialog window.
- Using the following format enter the following two SPNs individually. Click the Add button to add each SPN.
- When finished, click OK, and then OK. Finally close the ADSI Edit window.
Since Kerberos ticket usually expire after 10 hours, you may need to purge the current Kerberos tickets from client machine before the setup of the Microsoft Dynamics NAV Outlook Add-in can be completed in Microsoft Outlook.
With Kerbtray.exe, you can easily verify or remove (or both) Kerberos tickets from any of the associated computers that are being used. To download the Kerbtray utility, visit the following Microsoft Web site:
Scott Wright (scowri)
Microsoft Dynamics NA
Microsoft Customer Service and Support (CSS) North America