When the client device, Microsoft Dynamics NAV Web client, and Microsoft Dynamics NAV Server are on separate computers, the client device interacts with Microsoft Dynamics NAV Server through the computer that is running Microsoft Dynamics NAV Web client. Microsoft Dynamics NAV Web client is performing actions on the client device's behalf. This process is known as impersonation. Impersonation cannot be used across multiple computers, so you must set up delegation from Microsoft Dynamics NAV Web client to Microsoft Dynamics NAV Server. Delegation occurs when Microsoft Dynamics NAV Web client forwards a request from a device request to the Microsoft Dynamics NAV Server service so that the Microsoft Dynamics NAV Server service can impersonate the device.
- Delegating Access from the Web Server to <token xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">nav_server</token>
- Registering Service Principal Names for Microsoft Dynamics NAV Server
This task is only required if the service account for Microsoft Dynamics NAV Server is not configured to register SPNs automatically. - Configuring Kernel Mode Authentication on the Microsoft Dynamics NAV Web Client Website
Delegating Access from the Web Server to Microsoft Dynamics NAV Server
Configuring delegation means explicitly configuring the computer that is running Microsoft Dynamics NAV Web Server components to delegate its access to the Microsoft Dynamics NAV Server on behalf of the device that is trying to connect to Microsoft Dynamics NAV. To make the access more secure, you specify delegation to a specific service on a specific server. This is known as constrained delegation.
Note |
---|
You must run the following procedure on a domain controller computer or on a computer that is installed with Active Directory Domain Services tools. |
To delegate access to Microsoft Dynamics NAV Server
On the domain controller computer for your network, or on a computer that is installed with Active Directory Domain Services tools, choose Start, and then choose Run.
In the Open field, type dsa.msc.
This opens the Active Directory Users and Computers utility.
Expand the node for the domain where you have installed the Microsoft Dynamics NAV Development Environment. For this example, the domain is Corp.
Select the Computers node. Right-click the computer that is running the Microsoft Dynamics NAV Web Server components, and then choose Properties.
On the Delegation tab, choose Trust this user for delegation to specified services only, and then choose Use Kerberos only.
Note The Use Kerberos Only option does not work for some network configurations with Microsoft Dynamics NAV. If you get a server error when you try open the Microsoft Dynamics NAV Web client, then disable the Use Kerberos Only option and see whether this fixes the error. For more information about this error, see Troubleshooting: A server error occurred and the content cannot be displayed. You must add the following service entries for the computer that is running Microsoft Dynamics NAV Server, where NAVSERVER indicates the name of the computer that is running Microsoft Dynamics NAV Server.
Service type User or computer Port DynamicsNAV
NAVSERVER
7046
DynamicsNAV
NAVSERVER.corp
7046
HOST
NAVSERVER
HOST
NAVSERVER.corp
To add the HOST service, select Expanded, and then choose Add.
In the Add Services window, choose Users or Computers.
In the Enter the object names to select box, type the name of the computer that is running Microsoft Dynamics NAV Server, in this case NAVSERVER, and then choose the OK button.
In the list of available services, select HOST, and then choose the OK button.
To add the DynamicsNAV service, select Expanded, and then choose Add.
In the Enter the object names to select box, type the name of the user that is running the Microsoft Dynamics NAV Server, and then choose the OK button.
Choose the OK button to close the dialog box.
Registering Service Principal Names for Microsoft Dynamics NAV Server
When Microsoft Dynamics NAV Server is using a dedicated domain user account as its logon account, then you must register service principal names (SPN) for the Microsoft Dynamics NAV Server on the domain user account to make delegation work. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. To register SPNs, you used the setspn command-line tool that is available in Windows Server 2008 and Windows 7.
Note |
---|
You do not have to perform this task if the domain user account has permissions to register SPNs. In this case, SPNs for Microsoft Dynamics NAV Server will be automatically registered when Microsoft Dynamics NAV Server instance starts and then unregistered when the Microsoft Dynamics NAV Server instance stops. For information about how to configure the service account to register SPNs, see Provisioning the Microsoft Dynamics NAV Server Account. |
To create a service principal name
Using any computer in the network, open a command prompt as an administrator. To do this, choose Start, and then in the search window, type Command Prompt. Right-click Command Prompt, and then choose Run as administrator.
To view the registered SPNs for Microsoft Dynamics NAV Server on the domain account, type the following command.
Copy Code setspn -l domain\username
To view the registered SPNs for a specific computer, type the following command.
Copy Code setspn -l domain\computername$
At the command prompt, create an SPN for the Microsoft Dynamics NAV Server service using the following syntax.
Copy Code setspn -A InstanceName/FullyQualifiedDomainNameOfServer:Port Domain\User
Replace InstanceName, FullyQualifiedDomainNameOfServer, Port, and Domain\ServiceAccountUserName with the appropriate values.
For example, if NAVSERVER is the name of the computer that is running Microsoft Dynamics NAV Server and DynamicsNAV is the instance name for Microsoft Dynamics NAV Server, the actual command has the following format.
Copy Code setspn -A DynamicsNAV/NAVSERV.corp:7046 corp\navdomainuser
Configuring Kernel Mode Authentication on the Microsoft Dynamics NAV Web Client Website
By default, Windows authentication on the Microsoft Dynamics NAV Web client site on IIS is set to use kernel mode authentication. Kernel-mode authentication improves authentication performance. However, when you are using delegation with Kerberos, you must either disable kernel mode or configure it to use the credentials of the application pool of Microsoft Dynamics NAV Web client; otherwise, authentication will fail and Microsoft Dynamics NAV Web client will not be able to connect to Microsoft Dynamics NAV Server. This is because kernel mode authentication runs under the machine account of the computer that is running IIS and the Microsoft Dynamics NAV Web Server components, while the Microsoft Dynamics NAV Web client runs under the user account of the user trying to access Microsoft Dynamics NAV.
As a best practice, you should configure kernel mode authentication to use the application pool credentials, as described in the following procedure.
To configure Kernel Mode Authentication to use the Application Pool Credentials
On the computer that you installed Microsoft Dynamics NAV Web Server components, open the applicationHost.config file for Internet Information Services in a text editor, such as Notepad. By default, the file is located in c:\Windows\System32\inetsrv\config.
Locate the
<location path="Microsoft Dynamics NAV 2016 Web Client">
element.Change the
<windowsAuthentication enabled="true">
element to the following.Copy Code <windowsAuthentication enabled="true" useAppPoolCredentials="true" />
Save the file.
Restart IIS. To restart IIS in a command prompt, do the following:
-
On the Start menu, choose Run.
-
In the Open box, type cmd, and then choose the OK button.
-
At the command prompt, type iisreset, and then press Enter.
Tip You can also restart IIS using Internet Information Services Manager, if you have it installed. -
On the Start menu, choose Run.
To disable configure Kernel Mode Authentication
Open Internet Information Services Manager.
On the Start menu, in the Search Programs and Files box, type inetmgr, and then press Enter.
In the Connections pane, expand Sites, and then select Microsoft Dynamics NAV 2016 Web client.
In the IIS section, double-click Authentication.
In the Authentication pane, choose Windows Authentication, and then choose Advanced Settings.
Clear the Enable Kernel-mode authentication box, and then choose the OK button.