Setting up delegation and SPNs for NAV 2009 on three machines (when the NAV Server and SQL Server are on two seperate machines) is described in "Walkthrough: Installing the Three Tiers on Three Computers". But in addition to this, also be aware of the following:
Also thanks to our German colleagues for already posting this information here and here.
Syntax of SPNs has changed since KB 968189
After installing KB 968189 for NAV 2009 (Build 6.0.28795.0) the SPNs now have this format:<Instance>/<server host>:<port><Instance>/<server FQDN>:<port>
So for example if the SPNs used to be set like this:
From this build and later they have to be set like this:DynamicsNAV/NAV-SERVER.Domain.com:7046DynamicsNAV/NAV-SERVER:7046
About KB 968189 itself, it solves a very specific problem where it may not be possible to connect if the domain has multiple DNS Suffixes, which is quite unusual. Most installations are not affected by this. You can check whether you are affected by running ipconfig from a command prompt, and see if it lists more than one domain name under "Connection-specific DNS Suffix".
Setting UserAccountControl flag
In some cases you have to set UserAccountControl as described in KB 305144. You set this flag by running ADSIEDIT.msc, go to properties of the user account running your NAV Server, and then select UserAccountControl. Setting it to 17301504 means TRUSTED_FOR_DELEGATION+TRUSTED_TO_AUTH_FOR_DELEGATION
These postings are provided "AS IS" with no warranties and confer no rights. You assume all risk for your use.
Lars Lohndorf-Larsen (Lohndorf )
Microsoft Dynamics UK
Microsoft Customer Service and Support (CSS) EMEA
I have been set the user account control to 17301504. But, after some time, it has changed to 17302016. The mean of 17302016 is TRUSTED_FOR_DELEGATION+TRUSTED_TO_AUTH_FOR_DELEGATION too. Why could this happen?