Whenever there is a problem with a NAV 3-tier setup, typically we check the same usual things to begin with (SPNs, Delegation, NAV Service account, etc).
Below is a link to a PowerShell script that collects some of this information for you. So rather than logging on to a customer's NAV Server, then Domain Controller, then looking around in Services, ADSIEdit, Users and Computers, etc, just run the script and it collects most of the usual information in txt files.
There is also the situation where you can't access the remote system that you need to troubleshoot. Then, explaining a local admin what information you want them to look up can easily become a very long email and/or phone call. Instead of that, just ask them to run the script and send the results back.
The script collects AD-information specific to setting up NAV Server in 3-tier, which means SPNs, NAV Service information, Delegation permissions and more. In best cases (and with a bit of luck!) it collects enough information to pinpoint where a problem might be. In worst cases, at least it gives you an overview of what accounts and permissions are involved, so when you proceed to troubleshoot further, at least you have some ideas of the basic setup.
You must run the script from the machine where NAV Server is running.Copy the script from the link below into a new folder, for example C:\NAVCheck\.Open a PowerShell Command prompt and move into this folder (CD C:\NAVCheck).Give your PowerShell Command prompt access to execute scripts: Set-ExecutionPolicy UnrestrictedRun the script.
The user running the script must of course be allowed to log on the NAV Server, but they do not need to be Domain Admins.
The script creates a subfolder called "Results". This folder contains the following:
Check "SetSPNX.txt" first. A common issue is that the domain has duplicate SPNs created for different accounts. This is also an easy check you can do by just running "SetSPN -x" from a command prompt from any machine on the domain. Any duplicate SPNs must be resolved.
What SPNs are created for the user running the NAV Server (if any!).
UserAccountControl is a hash value that shows the user account properties, including "TRUSTED_FOR_DELEGATION", "DONT_EXPIRE_PASSWORD", "PASSWORD_EXPIRED", and more which could prevent a NAV 3-tier setup from working. NB: "TRUSTED_FOR_DELEGATION" is set only if the user is set up for unconstrained delegation (allowed to delegate to any service). If the user is set up for constrained delegation, then check msDS-AllowedToDelegateTo. You can use this link to decode the UserAccountCcontrol value.
msDS-AllowedToDelegateTo shows what services the user is allowed to delegate to. Check that at least SQL Server is allowed, and in case of any file shares, also the cifs service (see here for more details on managing network files in RTC).
The script can be copied / downloaded from here:
Script for NAV 3-tier troubleshooting (PowerShell).
This link also has further instructions and links at the bottom to further resources.
As usual this script is of course supplied "as is" with no support or warranties. If you think that the script could be improved and/or collect different / further information, then please do add comments below.
Lars Lohndorf-Larsen Dynamics NAV Support EMEA