Enhanced security with Kerberos only authentication in Microsoft Dynamics AX

Versions: AX 2009/2012R2/2012R3 – not 2012RTM/FP

We introduced the possibility to enhance the Security for Microsoft Dynamics AX Server client communication.

By default we are using a Kerberos and NTLM mix. This stays unchanged if you don’t set any Registry Key.

For switching of the NTLM authentication in your environment we have now the possibility to switch to Kerberos only.

 

Here is how:

You need only to set on the server and client side the Registry key in the tree:

For the server: 　HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dynamics Server\”AX Version”\”instance for AX”\”configuration of the instance”

For the client: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Dynamics\”AX Version”\Configuration\”Name of Configuration”

Key: authn_service(string-value) with the Value 16

This is the minimum bar and has to be done for every AOS instance and client configuration.

 

For the client you also can do the change over the Config file by placing the key at the end of the file:

authn_service,text,16

 

These steps will trigger that the AOS is register a SPN for the instance during the start of the service.

Of cause only if the AOS service account is allowed to do this.

If not you have to register the SPN permanent manually.

 

If the AOS did register the SPN proper you should see in the Application event log an entry like:

Object Server 01: Authn Service: Kerberos

　SPN: 29D16D8E-32D1-433B-B77F-987C2408CEA4/contoso3209.Contoso.com:2712

 

On the client side you can check if the Client received his Kerberos ticket by using the tool Klist and the command “Klist tickets”

Outcome should look like:

Server: 29D16D8E-32D1-433B-B77F-987C2408CEA4/contoso3209.contoso.com:2712@contoso.COM

KerbTicket Encryption Type: test contoso WS(NT)

　　　　　 End Time: 3/31/2014 18:52:04

　　　　　 Renew Time: 4/1/2014 20:42:

 

Additional Keys possible:

 

authn_service(string-value)

– configurable on both client and server

– allowable values: 9, 16

　　　　　　　 9 = Negotiate,

　　　　　　　 16 = Kerberos

　　　　　　　 (default value is “Default” i.e. NTLM)

 

authn_regspn(string-key)

– configurable on server

– event log will show error if server failed to registered SPN

– allowable values: 0, 1

　　　　　　　 0 = do not register spn

　　　　　　　 1 = register spn (default value)

 

authn_fqdn(string value)

– configurable on client

– allowable values: 0, 1, domain suffix

　　　　　　　 0 = do append domain suffix

　　　　　　　 1 = append domain suffix (default value)

　　　　　　　 <string> = domain suffix (ex. mydomain.corp.com)

　　　　　　　 note: if there is no domain suffix supplied by the client config / ax load balance, the domain of the client machine is used.

 

authn_usehost(string value)

– configurable on client / server

– allowable values: 0, 1

　　　　　　　 0 = do not use host format (default)

　　　　　　　 1 = use host format

 

debugrpc(string-value)

– allowable values: 0, 1

　　　　　 　　0 = disables event log debug logging

　　　　　　　 1 = enables event log debugging

– configurable on server or client

– logs additional information regarding SPN registration, authentication mode, and SPN value.

 

Writer: Uwe Zimmermann <uwezim@microsoft.com>