2019-12-30

NAV Dynamics login error AAD

Error accessing Website Microsoft Dynamics NAV 2017 Web Client

Raw Url: /XYZ/WebClient/SignIn.aspx?ReturnUrl=%2fXYZ%2fWebClient%2f
Url: http://10.0.0.4:8080/XYZ/WebClient/SignIn.aspx?ReturnUrl=%2fXYZ%2fWebClient%2f
Type: Microsoft.Dynamics.Nav.Types.NavSecurityNegotiationException
Message: The Service Principal Name (Delegation) configuration has been set incorrectly. Server connect URL: "net.tcp://localhost:7346/XYZ/Service". SPN Identity: "DynamicsNAV/localhost:7346"
  • The X.509 certificate CN=*.domain.com, O=Company Ltd, L=City, C=CZ is not in the trusted people store.
  • The X.509 certificate CN=*.domain.com, O=Company Ltd, L=City, C=CZ chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline.
  • Restart service (I did it with a whole machine)
Solution

Go to IIS, open Application Pools, select the Microsoft Dynamics NAV2017 Web Client Application Pool, open Advanced Settings. Find Process Model / Load User Profile and make sure it is False (default is True). (source)

Other related errors and warnings:

This hint didn't help for solving: "The X.509 certificate is not in the trusted people store" to change certificate validation mode. (which config file?)

Background: there is a set Microsoft Azure Active Directory as Service Account for running NAV with deactivated MFA ($Sta = @() and Set-MsolUser -UserPrincipalName $serviceAccountFullName -StrongAuthenticationRequirements $Sta -State "MFA disabled for this user"). SPN is somehow not required for this scenario but it's still mentioned in many places...

setspn -l domain\computerName
    some SPN are registered
setspn -l domain\userAccount
    nothing registered
setspsn -A was unsucessful due to error Failed to assign SPN on account, error 0x2098/8344 -> Insufficient access rights to perform the operation even I had all rights - Global administrator

SPN Identity: DynamicsNAV was created inside Azure as Registrated App

Žádné komentáře :

Okomentovat

Dotaz, připomínka, oprava?
(pokud máte problém s vložením příspěvku, vyzkoušejte to v prohlížeči Chrome)