Dynamics F/SCM Customer Experience (CRM) Dynamics GP Dynamics Business Central (NAV) Dynamics SL Power Platform Fabric Copilot

[Simon Lee]

?We recently upgraded from 2009 SP1 to 2009 R2.

After NAV Server and Web Services are installed and configured in a 3-tier environment, we registered SPN using a Domain user account – stb4navwebsrvs.

C:Userssilee>setspn -L stb4navwebsrvs
Registered ServicePrincipalNames for CN=stb4navwebsrvs,OU=Service Accounts,OU=IT
,OU=Locations,DC=stb,DC=com:
        mssqlsvc/STBVMDEVNAVDB.stb.com:1433
        mssqlsvc/STBVMDEVNAVDB:1433
        MicrosoftDynamicsNavServer/STBVMDEVWEBSRVS.stb.com:7046
        http/STBVMDEVWEBSRVS.stb.com:7047
        http/stbvmdevwebsrvs
        http/stbvmdevwebsrvs.stb.com

We also using “httpcfg set urlacl -u http://+:7047/DynamicsNAV/ -a D:^(A;^;GX^;^;^;…” command to add stb4navwebsvrs to URLACL,

We made stb4navwebsrvs the Local Administrator to both the SQL Server and the NAV Server.

We also grant SUPER right to stb4navwebsrvs

But still, when I test this URL http://stbvmdevwebsrvs:7047/DynamicsNAV/WS/1481STB/services any where, I am getting this page back

– <s:Envelope xmlns:s=”http://schemas.xmlsoap.org/soap/envelope/“>

– <s:Body>

– <s:Fault>

  <faultcode xmlns:a=”urn:microsoft-dynamics-schemas/error“>a:Microsoft.Dynamics.Nav.Types.NavDatabasePasswordException</faultcode>

  <faultstring xml:lang=”en-US“>The login failed when connecting to SQL Server STBVMDEVNAVDB.</faultstring>

– <detail>

  <string xmlns=”http://schemas.microsoft.com/2003/10/Serialization/“>The login failed when connecting to SQL Server STBVMDEVNAVDB.</string>

  </detail>

  </s:Fault>

  </s:Body>

  </s:Envelope>

But if I run this command in stbvmdevwebsrvs, it returns the correct result, only then, any other PC’s logged on with my name is returning the same result, if I run this URL.

– <discovery xmlns=”http://schemas.xmlsoap.org/disco/“ xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance“ xmlns:xsd=”http://www.w3.org/2001/XMLSchema“>

  <contractRef ref=”http://stbvmdevwebsrvs:7047/DynamicsNAV/WS/1481STB/SystemService“ xmlns=”http://schemas.xmlsoap.org/disco/scl/“ />

  <contractRef ref=”http://stbvmdevwebsrvs:7047/DynamicsNAV/WS/1481STB/Page/EmployeeQualification“ xmlns=”http://schemas.xmlsoap.org/disco/scl/“ />

  <contractRef ref=”http://stbvmdevwebsrvs:7047/DynamicsNAV/WS/1481STB/Page/EmplQualAPIDev“ xmlns=”http://schemas.xmlsoap.org/disco/scl/“ />

  </discovery>

Could anyone advise, what seems to be the issue?

Incidentally, I also make computer account stbstbvmdevwebsrvs$ the owner of the Database and assign it with SUPER permission.

——————————
Simon Lee
Starboard Cruise Services
Miami FL
——————————

[Paul Turner]

It sounds like a delegation issue.  Check whether stb4navwebsvrs is the assigned “log on as” user for both the [Microsoft Dynamics NAV Server] and the [Microsoft Dynamics NAV Business Web Services] services on the NAV server (stbvmdevwebsrvs).  Delegation from the Service Tier to the DB may fail if these are running under different accounts.  Try restarting both those services.

Hope this helps.  Delegation issues can be a pain.  I think we ended up making that service user a full domain admin.

——————————
Paul Turner
Liberty Mountain
Sandy UT
——————————
——————————————-

[Simon Lee]

?Hi, Paul, Thanks a lot for pointing us to the right direction.

I just checked and these 2 Services in the NAV Server do have the same “Log on As” – stb4navwebsrvs setup.

To be on the safe side, I also went to the SQL Server.  And the Server has the same “Log on As”.

As to the assignment of Domain Admin to the Deligation Account, we got turned down by the Domain Administrator, but they did assign Read and Write permission of the ServicePrincipalName to this Domain User. 

May be we will seek upper management approval to temporarily assignment of the Domain Admin access to prove a point.

——————————
Simon Lee
Starboard Cruise Services
Miami FL
——————————
——————————————-

[Mark Miranda]

Make sure that the user account running the SQL service has an SPN for MSSQLSvc and then set the delgation between the two accounts as follows:

1. On any domain controller computer in the domain, click Start, and then click Run.

2. In the Open field, type dsa.msc.

   This opens the Active Directory Users and Computers utility.

3. To configure delegation, the functional level for the domain must be Windows Server 2003 or higher. To verify the domain functional level, right-click the node for the domain where you have installed Microsoft Dynamics NAV, and then click Raise Domain Functional Level. If the level is not at least Windows Server 2003, then raise it to that level.

4. Right-click the node for the domain where you have installed Microsoft Dynamics NAV, and then click Find.

5. In the Find Users, Contacts, and Group dialog box, type the name of the domain user in the Name field, and then press ENTER.

6. In the Search results area, right-click the domain user, and then click Properties.

7. On the Delegation tab, click Trust this user for delegation to specified services only, and then click Use Kerberos only.

8. Click Add to open the Add Services dialog box.

9. In the Add Services window, click Users or Computers, and then type the name of the domain user.

10. In the list of services for the domain user, click MSSQLSvc, which is the name of the SQL Server service.

11. Click OK to exit the Add Services dialog box.

12. Click OK to close all open dialog boxes.

——————————
Mark Miranda
Director of Information Technology
Western Computer
——————————
——————————————-