We started configuration from standard WhitePaper Microsoft Dynamics AX 2009 White Paper: Configuring Kerberos Authentication with Role Centers

However even if Kerberos and SPNs are configured correctly you can run into an authentication issue, if you have the following components running on their own server with Windows Server 2008 as the operating system:

  • Microsoft SQL Server 2005 or 2008 (including Database Engine, Reporting Services and Analysis Services)
  • Microsoft Office SharePoint Server 2007 or Microsoft Windows SharePoint Services 3.0

We followed the tips given in our previous article: http://blogs.msdn.com/b/emeadaxsupport/archive/2009/07/22/kerberos-authentication-issues-in-a-multi-server-environment-affecting-the-kpi-web-part.aspx

Although we get not Enterprise Portal site working from the client machine. The problem happens just after launching Enterprise Portal site we got authentication prompt and then 401 error  (Access denied).

On SharePoint Server 2007 our Enterprise Portal was not installed on port 80 (standard port) but on 82 port. On port 80 we had different page which needed to be working correctly which was running on application pool using different identity than our bc proxy account. In our case our SPN for Sharepoint server looked following:

HTTP/{server name}:{port number} {application pool account}

HTTP/{the server fully-qualified domain name}:{port number} {application pool account}

So for contonso domain that would look following:

HTTP/EnterprisePortal1:82

HTTP/EnterprisePortal1.contoso.corp.contoso.com:82

It happens the problem is cause by Wininet.dll file which does not pass the port number of the target Web site. So the Kerberos ticket is is build with different account than resolve and this is why we get problem.

The solution is if you use Internet Explorer lower than version 7 you need to install hotfix and apply changes in “More information” section: http://support.microsoft.com/kb/908209

If you use Internet Explorer version higher than version 7 then you need to apply changes in “More information: section: http://support.microsoft.com/kb/908209.

If you apply changes from article: http://support.microsoft.com/kb/908209 you will see that it will be working fine from Internet Explorer but from Dynamics Ax you will get error again. To solve it you will need to add new Value in registry key:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In the left pane, locate and then click the following registry subkey
  3. For 32-bit computers 

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209

  4. For 64 bit computers

    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209

  5. On the Edit menu, point to New, and then click DWORD Value.
  6. Type ax32.exe, and then press ENTER.
  7. On the Edit menu, click Modify.
  8. Type 1 in the Value data box, and then click OK.
  9. Exit Registry Editor.
--author: Czesława Lagowska, Jean-Benoit Simonutti
--editor: Czesława Langowska
--date: 11/Feb/2011