Whenever there is a problem with a NAV 3-tier setup, typically we check the same usual things to begin with (SPNs, Delegation, NAV Service account, etc).
Below is a link to a PowerShell script that collects some of this information for you. So rather than logging on to a customer’s NAV Server, then Domain Controller, then looking around in Services, ADSIEdit, Users and Computers, etc, just run the script and it collects most of the usual information in txt files.
There is also the situation where you can’t access the remote system that you need to troubleshoot. Then, explaining a local admin what information you want them to look up can easily become a very long email and/or phone call. Instead of that, just ask them to run the script and send the results back.
The script collects AD-information specific to setting up NAV Server in 3-tier, which means SPNs, NAV Service information, Delegation permissions and more. In best cases (and with a bit of luck!) it collects enough information to pinpoint where a problem might be. In worst cases, at least it gives you an overview of what accounts and permissions are involved, so when you proceed to troubleshoot further, at least you have some ideas of the basic setup.
How it works
You must run the script from the machine where NAV Server is running.
Copy the script from the link below into a new folder, for example C:\NAVCheck\.
Open a PowerShell Command prompt and move into this folder (CD C:\NAVCheck).
Give your PowerShell Command prompt access to execute scripts:
Set-ExecutionPolicy Unrestricted
Run the script.
The user running the script must of course be allowed to log on the NAV Server, but they do not need to be Domain Admins.
What it collects
The script creates a subfolder called “Results”. This folder contains the following:
- A subfolder for each NAV Server on the machine. This subfolder contains CustomSettings.config and a txt file with a file list of files and versions in that folder.
- A Txt file with an overview of what NAV Servers are installed as services on the machine, and which user account each service is running under.
- Two Txt files for each user that is identified as running a NAV Service. These files contains the following information for that user:
- SPNs
- UserAccountControl
- msDS-AllowedToDelegateTo
- SetSPNX.txt (check for duplicate SPNs on the domain).
What to check
Check “SetSPNX.txt” first. A common issue is that the domain has duplicate SPNs created for different accounts. This is also an easy check you can do by just running “SetSPN -x” from a command prompt from any machine on the domain. Any duplicate SPNs must be resolved.
What SPNs are created for the user running the NAV Server (if any!).
UserAccountControl is a hash value that shows the user account properties, including “TRUSTED_FOR_DELEGATION”, “DONT_EXPIRE_PASSWORD”, “PASSWORD_EXPIRED”, and more which could prevent a NAV 3-tier setup from working. NB: “TRUSTED_FOR_DELEGATION” is set only if the user is set up for unconstrained delegation (allowed to delegate to any service). If the user is set up for constrained delegation, then check msDS-AllowedToDelegateTo. You can use this link to decode the UserAccountCcontrol value.
msDS-AllowedToDelegateTo shows what services the user is allowed to delegate to. Check that at least SQL Server is allowed, and in case of any file shares, also the cifs service (see here for more details on managing network files in RTC).
Get the script
The script can be copied / downloaded from here:
Script for NAV 3-tier troubleshooting (PowerShell).
This link also has further instructions and links at the bottom to further resources.
As usual this script is of course supplied “as is” with no support or warranties. If you think that the script could be improved and/or collect different / further information, then please do add comments below.
Lars Lohndorf-Larsen
Dynamics NAV Support EMEA