Duplicate SPNs in a 3-tier setup and how to locate them

Duplicate SPNs in a 3-tier setup and how to locate them

  • Comments 0

One of the problems when troubleshooting why a 3-tier setup of NAV 2009 doesn't work is, that the same error - typically this one on the SQL Server:

"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'"

can be caused by any number of problems between NAV Server, SQL Server and Active Directory settings.

One quite common cause of this problem is duplicate SPNs. This post describes the problem with duplicate SPNs, and how to locate and solve it.

 

What is the problem:

When the NAV Server and SQL Server are on two different machines, a connection between Role Tailored Client (RTC) and the NAV Server requires Kerberos. Kerberos uses SPNs to locate which Windows account the NAV Server is running under. For this reason, each SPN must point to exactly one Windows account.

Once you start setting up and troubleshooting a 3-tier setup it is easy to end up trying new SPNs on new accounts, and forgetting to remove the original SPNs. And you may end up with the same SPN assigned to two different Windows accounts. More about SPNs in this post:

What do SPNs actually do - NAV 2009

 

How to check if you have duplicate SPNs:

This is easy if you have Windows 2008 somewhere on the domain. If you do, then from a command prompt, just run this command:

setspn -X

This command is new in Windows 2008, and was introduced exactly and specifically to help locating this problem.

 

If you do not have Windows 2008 anywhere on the domain, then use the command line tool called "ldifde" from a Windows Server 2000 or 2003. More details and examples about ldifde in this KB article:

LDIFDE - Export / Import data from Active Directory - LDIFDE commands

 

For the purpose of finding duplicate SPNs, use ldifde from a command prompt like this:

ldifde -f "c:\x\AD.txt" -l ServicePrincipalName

This will export values of the ServicePrincipalName-property for all accounts in Active Directory to a text file. Here is an example of the output of this command:

dn: CN=navservice,CN=Users,DC=contoso,DC=com
changetype: add
servicePrincipalName: HTTP/NAV-SERVER
servicePrincipalName: HTTP/NAV-SERVER.contoso.com
servicePrincipalName: DynamicsNAV/NAV-SERVER:7046
servicePrincipalName: DynamicsNAV/NAV-SERVER.contoso.com:7046

dn: CN=SQLDUI SD.,CN=Users,DC=contoso,DC=com
changetype: add
servicePrincipalName: DynamicsNAV/NAV-SERVER:7046
servicePrincipalName: DynamicsNAV/NAV-SERVER.contoso.com:7046

Then you must search manually for your SPNs, and see if they appear more than once. In this example, the SPN "DynamicsNAV/NAV-SERVER:7046" is set up for both accounts navservice and SQLDUI, so in this case you would have to remove this SPN from one of the accounts.

 

 

Lars Lohndorf-Larsen

Microsoft Customer Service and Support (CSS) EMEA

Leave a Comment
  • Please add 5 and 6 and type the answer here:
  • Post