AXForum  
Вернуться   AXForum > Microsoft Dynamics CRM > Dynamics CRM: Blogs
All
Забыли пароль?
Зарегистрироваться Правила Справка Пользователи Сообщения за день Поиск

 
 
Опции темы Поиск в этой теме Опции просмотра
Старый 05.11.2009, 11:12   #1  
Blog bot is offline
Blog bot
Участник
 
25,640 / 848 (80) +++++++
Регистрация: 28.10.2006
One of the problems when troubleshooting why a 3-tier setup of NAV 2009 doesn't work is, that the same error - typically this one on the SQL Server:

"Login failed for user 'NT AUTHORITYANONYMOUS LOGON'"

can be caused by any number of problems between NAV Server, SQL Server and Active Directory settings.

One quite common cause of this problem is duplicate SPNs. This post describes the problem with duplicate SPNs, and how to locate and solve it.



What is the problem:

When the NAV Server and SQL Server are on two different machines, a connection between Role Tailored Client (RTC) and the NAV Server requires Kerberos. Kerberos uses SPNs to locate which Windows account the NAV Server is running under. For this reason, each SPN must point to exactly one Windows account.

Once you start setting up and troubleshooting a 3-tier setup it is easy to end up trying new SPNs on new accounts, and forgetting to remove the original SPNs. And you may end up with the same SPN assigned to two different Windows accounts. More about SPNs in this post:

What do SPNs actually do - NAV 2009



How to check if you have duplicate SPNs:

This is easy if you have Windows 2008 somewhere on the domain. If you do, then from a command prompt, just run this command:

setspn -X

This command is new in Windows 2008, and was introduced exactly and specifically to help locating this problem.



If you do not have Windows 2008 anywhere on the domain, then use the command line tool called "ldifde" from a Windows Server 2000 or 2003. More details and examples about ldifde in this KB article:

LDIFDE - Export / Import data from Active Directory - LDIFDE commands



For the purpose of finding duplicate SPNs, use ldifde from a command prompt like this:

ldifde -f "c:xAD.txt" -l ServicePrincipalName

This will export values of the ServicePrincipalName-property for all accounts in Active Directory to a text file. Here is an example of the output of this command:
dn: CN=navservice,CN=Users,DC=contoso,DC=com
changetype: add
servicePrincipalName: HTTP/NAV-SERVER
servicePrincipalName: HTTP/NAV-SERVER.contoso.com
servicePrincipalName: DynamicsNAV/NAV-SERVER:7046
servicePrincipalName: DynamicsNAV/NAV-SERVER.contoso.com:7046

dn: CN=SQLDUI SD.,CN=Users,DC=contoso,DC=com
changetype: add
servicePrincipalName: DynamicsNAV/NAV-SERVER:7046
servicePrincipalName: DynamicsNAV/NAV-SERVER.contoso.com:7046

Then you must search manually for your SPNs, and see if they appear more than once. In this example, the SPN "DynamicsNAV/NAV-SERVER:7046" is set up for both accounts navservice and SQLDUI, so in this case you would have to remove this SPN from one of the accounts.





Lars Lohndorf-Larsen

Microsoft Customer Service and Support (CSS) EMEA



Источник: http://feedproxy.google.com/~r/Micro...cate-them.aspx
__________________
Расскажите о новых и интересных блогах по Microsoft Dynamics, напишите личное сообщение администратору.
 


Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.
Быстрый переход

Рейтинг@Mail.ru
Часовой пояс GMT +3, время: 07:31.