So I felt like a super hero figuring out all the stuff explained in Part 1 but after posting it, and testing some more I started getting weird errors, and stuff would stop working. While working on something else ( implementing Claims based authentication in Citrix XenApp ) I had enabled Kerberos Logging and I noticed this error
And I got this sweating feeling all over, like when you did something bad. So I quickly went to test it. First I tried opening the client, making sure AllowNtlm was set to false and ServicePrincipalNameRequired to true, and tried connecting to one of the Navision instance I had problems with.
I added a SPN for the service account with instance name pointing to the server’s FQDN(not the cname as explained in the article) and restarted the service and tried again.
Bam, success … so I went to Google and searched for the documentation. Try opening http://msdn.microsoft.com/en-us/library/dd301254.aspx and search for SPN. Notice how it says
setspn -A InstanceName/FullyQualifiedDomainNameOfServer:Port Domain\User
How the freaking hell did I miss that ? I’ve seen that pages a billion times. Oh well, nothing wrong in learning something new once in a while.
Using a CName is still a good idea thou. If you want to use Kerberos when talking to the Web Service you still need a HTTP/HOST SPN Service registered and what I wrote in part 1 will still apply.