How to: Configure Delegation for Microsoft Dynamics NAV Web Client

When the client device, Microsoft Dynamics NAV Web client, and Microsoft Dynamics NAV Server are on separate computers, the client device interacts with Microsoft Dynamics NAV Server through the computer that is running Microsoft Dynamics NAV Web client. Microsoft Dynamics NAV Web client is performing actions on the client device's behalf. This process is known as impersonation. Impersonation cannot be used across multiple computers, so you must set up delegation from Microsoft Dynamics NAV Web client to Microsoft Dynamics NAV Server. Delegation occurs when Microsoft Dynamics NAV Web client forwards a request from a device request to the Microsoft Dynamics NAV Server service so that the Microsoft Dynamics NAV Server service can impersonate the device.

Delegating Access from the Web Server to Microsoft Dynamics NAV Server

Configuring delegation means explicitly configuring the computer that is running Microsoft Dynamics NAV Web Server components to delegate its access to the Microsoft Dynamics NAV Server on behalf of the device that is trying to connect to Microsoft Dynamics NAV. To make the access more secure, you specify delegation to a specific service on a specific server. This is known as constrained delegation.

JJ551742.note(en-us,NAV.70).gifNote
You must run the following procedure on a domain controller computer or on a computer that is installed with Active Directory Domain Services tools.

To delegate access to Microsoft Dynamics NAV Server

  1. On the domain controller computer for your network, or on a computer that is installed with Active Directory Domain Services tools, choose Start, and then choose Run.

  2. In the Open field, type dsa.msc.

    This opens the Active Directory Users and Computers utility.

  3. Expand the node for the domain where you have installed the Microsoft Dynamics NAV Development Environment. For this example, the domain is Corp.

  4. Select the Computers node. Right-click the computer that is running the Microsoft Dynamics NAV Web Server components, and then choose Properties.

  5. On the Delegation tab, choose Trust this user for delegation to specified services only, and then choose Use Kerberos only.

  6. You must add the following service entries for the computer that is running Microsoft Dynamics NAV Server, where NAVSERVER indicates the name of the computer that is running Microsoft Dynamics NAV Server.

    Service type User or computer Port

    DynamicsNAV

    NAVSERVER

    7046

    DynamicsNAV

    NAVSERVER.corp

    7046

    HOST

    NAVSERVER

    HOST

    NAVSERVER.corp

  7. To add the services, select Expanded, and then choose Add.

  8. In the Add Services window, choose Users or Computers.

  9. In the Enter the object names to select box, type the name of the computer that is running Microsoft Dynamics NAV Server, in this case NAVSSERVER, and then choose the OK button.

  10. In the list of available services, press and hold the Ctrl key, select DynamicsNAV for port 7046 and HOST, and then choose the OK button.

  11. Choose the OK button to close the dialog box.

Registering Service Principal Names for Microsoft Dynamics NAV Server

When Microsoft Dynamics NAV Server is using a dedicated domain user account as its logon account, then you must register service principal names (SPN) for the Microsoft Dynamics NAV Server on the domain user account to make delegation work. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. To register SPNs, you used the setspn command-line tool that is available in Windows Server 2008 and Windows 7.

JJ551742.note(en-us,NAV.70).gifNote
You do not have to perform this task if the domain user account has permissions to register SPNs. In this case, SPNs for Microsoft Dynamics NAV Server will be automatically registered when Microsoft Dynamics NAV Server instance starts and then unregistered when the Microsoft Dynamics NAV Server instance stops. For information about how to configure the service account to register SPNs, see Provisioning the Microsoft Dynamics NAV Server Account.

To create a service principal name

  1. Using any computer in the network, open a command prompt as an administrator. To do this, choose Start, and then in the search window, type Command Prompt. Right-click Command Prompt, and then choose Run as administrator.

  2. To view the registered SPNs for Microsoft Dynamics NAV Server on the domain account, type the following command.

    setspn -l domain\username
    

    To view the registered SPNs for a specific computer, type the following command.

    setspn -l domain\computername$
    
  3. At the command prompt, create an SPN for the Microsoft Dynamics NAV Server service using the following syntax.

    setspn -A InstanceName/FullyQualifiedDomainNameOfServer:Port Domain\User
    

    Replace InstanceName, FullyQualifiedDomainNameOfServer, Port, and Domain\ServiceAccountUserName with the appropriate values.

    For example, if NAVSERVER is the name of the computer that is running Microsoft Dynamics NAV Server and DynamicsNAV is the instance name for Microsoft Dynamics NAV Server, the actual command has the following format.

    setspn -A DynamicsNAV/NAVSERV.corp:7046 corp\navdomainuser
    

Configuring Kernel Mode Authentication on the Microsoft Dynamics NAV Web Client Website

By default, Windows authentication on the Microsoft Dynamics NAV Web client site on IIS is set to use kernel mode authentication. Kernel-mode authentication improves authentication performance. However, when you are using delegation with Kerberos, you must either disable kernel mode or configure it to use the credentials of the application pool of Microsoft Dynamics NAV Web client; otherwise, authentication will fail and Microsoft Dynamics NAV Web client will not be able to connect to Microsoft Dynamics NAV Server. This is because kernel mode authentication runs under the machine account of the computer that is running IIS and the Microsoft Dynamics NAV Web Server components, while the Microsoft Dynamics NAV Web client runs under the user account of the user trying to access Microsoft Dynamics NAV.

As a best practice, you should configure kernel mode authentication to use the application pool credentials, as described in the following procedure.

To configure Kernel Mode Authentication to use the Application Pool Credentials

  1. On the computer that you installed Microsoft Dynamics NAV Web Server components, open the applicationHost.config file for Internet Information Services in a text editor, such as Notepad. By default, the file is located in c:\Windows\System32\inetsrv\config.

  2. Locate the <location path="Microsoft Dynamics NAV 2013 Web Client"> element.

  3. Change the <windowsAuthentication enabled="true"> element to the following.

    <windowsAuthentication enabled="true" useAppPoolCredentials="true" />
    
  4. Save the file.

  5. Restart IIS. To restart IIS in a command prompt, do the following:

    1. On the Start menu, choose Run.

    2. In the Open box, type cmd, and then choose the OK button.

    3. At the command prompt, type iisreset, and then press Enter.

    JJ551742.Tip(en-us,NAV.70).gifTip
    You can also restart IIS using Internet Information Services Manager, if you have it installed.

To disable configure Kernel Mode Authentication

  1. Open Internet Information Services Manager.

    On the Start menu, in the Search Programs and Files box, type inetmgr, and then press Enter.

  2. In the Connections pane, expand Sites, and then select Microsoft Dynamics NAV 2013 Web client.

  3. In the IIS section, double-click Authentication.

  4. In the Authentication pane, choose Windows Authentication, and then choose Advanced Settings.

  5. Clear the Enable Kernel-mode authentication box, and then choose the OK button.

See Also

Show: