When a middltier-service-account has the correct rights in AD (Write Public Information - SELF), it can register his own SPN's.
If you enable everything you get:
DynamicsNAV/instance:7045
DynamicsNAV/instance.domain:7045
DynamicsNAV/server:7046
DynamicsNAV/server.domain:7046
DynamicsNAV/server:7047
DynamicsNAV/server.domain:7047
DynamicsNAV/server:7048
DynamicsNAV/server.domain:7048
The result is that the webservice is working on the server itself but we can't call it from other machines.
There's something wrong with the Kerberos security, the pré-authentication fails.
This I can solve by creating an extra SPN
HTTP/server domain\ServiceAccount
HTTP/server.domain domain\ServiceAccount
But at that this point we lose the webclient-functionality and the remote-powershell-functionality.
This last issue we can solve by creating a second SPN
http/server:5985 server
http/server.domain:5985 server
https/server:5986 server
https/server.ktn.group:5986 server
Anyone has an idea?
If you enable everything you get:
DynamicsNAV/instance:7045
DynamicsNAV/instance.domain:7045
DynamicsNAV/server:7046
DynamicsNAV/server.domain:7046
DynamicsNAV/server:7047
DynamicsNAV/server.domain:7047
DynamicsNAV/server:7048
DynamicsNAV/server.domain:7048
The result is that the webservice is working on the server itself but we can't call it from other machines.
There's something wrong with the Kerberos security, the pré-authentication fails.
This I can solve by creating an extra SPN
HTTP/server domain\ServiceAccount
HTTP/server.domain domain\ServiceAccount
But at that this point we lose the webclient-functionality and the remote-powershell-functionality.
This last issue we can solve by creating a second SPN
http/server:5985 server
http/server.domain:5985 server
https/server:5986 server
https/server.ktn.group:5986 server
Anyone has an idea?