Double impersonation within a three tier environment and the SMTP Server setup in Microsoft Dynamics NAV

Not that long ago I was involved with a very interesting escalation stating that it was not possible to send out E-mails via CU400 utilizing NTLM in a three tier environment with the Role Tailored Client only in an Exchange Server 2007 / 2010 environment. When using the CSIDE Client, everything worked perfectly. The cause is that the Role Tailored Client in a three tier environment sent the E-mail to the NST box that uses impersonation to send out an E-mail. What happens from technical side of view is that some sort of double impersonation had to take place.

The solution is too easy to implement but let me first try to explain this with the scenario I worked on. For the test I did use Document Approval scenario. This does utilize CU400. Before actually describing the scenario, I reviewed the following patches for SMTP:

2499881    You cannot configure the TLS settings for SMTP communication in Microsoft Dynamics NAV 2009
https://mbs.microsoft.com/knowledgebase/KBDisplay.aspx?scid=kb;EN-US;2499881

2345735    You cannot change the default port for SMTP Communication in Microsoft Dynamics NAV
https://mbs.microsoft.com/knowledgebase/KBDisplay.aspx?scid=kb;EN-US;2345735

2479702    The email message body is incorrect when you create an email message by using the AppendBody method in Microsoft Dynamics NAV 2009 Service Pack 1
https://mbs.microsoft.com/knowledgebase/KBDisplay.aspx?scid=kb;EN-US;2479702

2280492    Attachments are not released until the Microsoft Dynamics NAV client is closed when you use the SMTP Mail codeunit (400) to send email messages that have attachments
https://mbs.microsoft.com/knowledgebase/KBDisplay.aspx?scid=kb;EN-US;2280492

2516144    You receive malformed email messages if you use a specific version 7 release of the Microsoft.Navision.Mail.dll file in Microsoft Dynamics NAV 2009
https://mbs.microsoft.com/knowledgebase/KBDisplay.aspx?scid=kb;EN-US;2516144

1. install Exchange 2007 SP1 on Windows Server 2008 R2
2. install SQL Server 2008 R2 on Windows Server 200x R2
3. install ServiceTier + RTC on Windows Server 2088 R2
4. install CC and RTC on Windows 7

NOTE: for the test all relevant Windows Updates were installed, latest service packs and latest builds of Dynamics

5. create a new account called NAVSRV which will be used to start up SQL / NST
6. configure Document Approval according to the attached PPT

NOTE: for the test we will primarily use the accounts called Susan, Navsrv and Kevin which is a newly created Salesperson
NOTE: for the test all user accounts are SUPER users in Dynamics NAV, Local Administrators on all machines being used and member of Domain Admin
NOTE: the following machine names are being used:

=> EX2K7-1 : Exchange 2007 SP3
=> WIN2K3-3 : SQL 2008 R2
=> WIN2K3-4 : NST + RTC
=> WIN7-2 : CC + RTC

NOTE: the following spn’s were used and set to the NAVSrv user account:

userPrincipalName: navsrv@mels.com
servicePrincipalName: MSSQLSvc/win2k3-3.mels.com:1433
servicePrincipalName: MSSQLSvc/win2k3-3.mels.com
servicePrincipalName: http/WIN2K3-4.mels.com
servicePrincipalName: http/WIN2K3-4
servicePrincipalName: DynamicsNAV/WIN2K3-4:7046
servicePrincipalName: DynamicsNAV/WIN2K3-4.mels.com:7046

NOTE: the following Delegations were setup for NAVSrv account:

Trust this user for delegation to specified services only:

– Use any authentication protocol

MSSQLSvc win2k3-3.mels.com 1433

7. follow MSDN to ensure the three tier environment is configured correctly

Test:
=> start up RTC on Windows 7 using user account Susan [OK}

8. review the above mentioned patches for SMTP and modify the code where needed
9. run the following command regasm /codebase microsoft.navision.mail.dll /tlb:microsoft.navision.mail.tlb using build v7.03.1
10. compile the non compiled objects
11. configure CU400 with the following values:

EX2K7-1
NTLM
25

12. start up Exchange 2007 MMC and create a new Receive Connector, to do so follow these steps:

=> select Microsoft Exchange / Server Configuration / Hub Transport
=> select an empty area under button Receive Connectors and right click, New Receive Connector

13. configure the newly created connector with the following values:

General tab:
=> Name: CRM Connector
=> mail.mels.com

Network tab:
=> local IP address of EX2K7-1, port 25
=> remote IP address of WIN2K3-4
=> Authentication: Integrated Windows Authentication

Permissions Groups:
=> Exchange servers

14. create a new Send Connector, to do so, follow these steps:
=> select Microsoft Exchange / Organization Configuration / Hub Transport
=> select Send Connectors
=> select an empty area under button Send Connectors and right click, New Send Connector

15. configure the newly created connector with the following values:

General tab:
=> Name: SMTP Send connector
=> Address Space: SMTP * 1

Network tab:
=> Route mail through the following smart hosts
=> Smarthost: IP address of remote Exchange 2003 server (not part of this test)

Source Server tab:
EX2K7-1 Default-First-Site-Name Mailbox, Client Access, Hub Transport

Test:
=> log on to WIN7-2 with user account Susan using CC and create a Purchase Quote so that an approval request needs to be done (> 5000)
=> the approval request is created and an E-mail is sent to Kevin

Test:
=> log on to WIN7-2 with user account Susan using RTC and create a Purchase Quote so that an approval request needs to be done (> 5000)

Error on the client:

The SMTP mail system returned the following error: The SMTP server requires a secure connection or the client was not authenticated. The server respones was: 5.71. Client was not authenticated.

Error on EX2K7-1 application event log file:
The account ‘NT AUTHORITY\ANONYMOUS LOGON’ provided valid credentials, but is not authorized to use the server; failing authentication

NOTE: The errors are well known and described in the MS Exchange 2007 Transport whitepaper (http://www.microsoft.com/download/en/details.aspx?id=975):

530 5.7.1 Client was not authenticated

The sender specified in the MAIL FROM field of the SMTP protocol doesn’t have permission to submit to this server. The ms-Exch-SMTP-Submit permission must be granted to the sender.

16. add extended permissions to the newly created connector:

Get-ReceiveConnector “CRM Connector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Submit”

Test:
=> log on to WIN7-2 with user account Susan using RTC and create a Purchase Quote so that an approval request needs to be done (> 5000)

Error on the client (described in the whitepaper):
550 5.7.1 Client does not have permission to send as this sender

The sender specified in the MAIL FROM field of the SMTP protocol conversation is an address in an authoritative domain. However, the session doesn’t have the ms-Exch-SMTP-Accept-Authoritative-Domain-Sender permission. This might occur if a message was submitted from the Internet to an Edge Transport server from a sender address for which the Exchange organization is authoritative.

17. add extended permissions to the newly created connector:

Get-ReceiveConnector “CRM Connector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Authoritative-Domain-Sender”

Test:
=> log on to WIN7-2 with user account Susan using RTC and create a Purchase Quote so that an approval request needs to be done (> 5000)

Error on the client (described in the whitepaper):
550 5.7.1. Unable to relay

The recipient domain to which the message is addressed isn’t within any of the accepted domains defined for this organization. Also, the session doesn’t have the ms-Exch-SMTP-Accept-Any-Recipient permission.

18. add extended permissions to the newly created connector:

Get-ReceiveConnector “CRM Connector” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient ”

Test:
=> log on to WIN7-2 with user account Susan using RTC and create a Purchase Quote so that an approval request needs to be done (> 5000)
=> the approval request is created and an E-mail is sent to Kevin

19. change SMTP Mail Setup in Dynamics NAV to Anonymous

Test:
=> log on to WIN7-2 with user account Susan using RTC and create a Purchase Quote so that an approval request needs to be done (> 5000)
=> the approval request is created and an E-mail is sent to Kevin

NOTE: when using RTC with user account NAVSrv on the NST box, switching between Anonymous and NTLM does produce the correct behavior. Mail cannot be sent with error 530 5.7.1 Client was not authenticated and mail can be sent without error.

Along the way we had quite a lot of fun while testing. If you run in this kind of scenario, the way to fix this is via code in CU400 where you instruct the RTC to directly contact the Exchange Server in stead of via the NST box. This will ensure the Role Tailored Client behaves similar as the CSIDE Client:
2618652 Double impersonation and the SMTP Server setup in Dynamics NAV
http://support.microsoft.com/kb/2618652

Regards,

Marco Mels
CSS EMEA

This posting is provided “AS IS” with no warranties, and confers no rights