Configuring Delegation for Business Central Web Server
When the client device, Business Central Web Server, and Business Central Server are on separate computers, the client device interacts with Business Central Server through the computer that is running Business Central Web Server. Business Central Web Server is performing actions on the client device's behalf. This process is known as impersonation. Impersonation cannot be used across multiple computers, so you must set up delegation from Business Central Web Server to Business Central Server. Delegation occurs when Business Central Web Server forwards a request from a device request to the Business Central Server service so that the Business Central Server service can impersonate the device.
This task is only required if the service account for Business Central Server is not configured to register SPNs automatically.
Delegating Access from the Web Server to Business Central Server
Configuring delegation means explicitly configuring the computer that is running Business Central Web Server components to delegate its access to the Business Central Server on behalf of the device that is trying to connect to Business Central. To make the access more secure, you specify delegation to a specific service on a specific server. This is known as constrained delegation.
You must run the following procedure on a domain controller computer or on a computer that is installed with Active Directory Domain Services tools.
To delegate access to Business Central Server
On the domain controller computer for your network, or on a computer that is installed with Active Directory Domain Services tools, choose Start, and then choose Run.
In the Open field, type dsa.msc.
This opens the Active Directory Users and Computers utility.
Expand the node for the domain where you have installed the Dynamics NAV Development Environment. For this example, the domain is Corp.
Select the Computers node. Right-click the computer that is running the Business Central Web Server, and then choose Properties.
On the Delegation tab, choose Trust this user for delegation to specified services only, and then choose Use Kerberos only.
The Use Kerberos Only option does not work for some network configurations with Business Central. If you get a server error when you try open the Business Central Web Server, then disable the Use Kerberos Only option and see whether this fixes the error. For more information about this error, see Troubleshooting: A server error occurred and the content cannot be displayed.
You must add the following service entries for the computer that is running Business Central Server, where BCSERVER indicates the name of the computer that is running Business Central Server.
Service type User or computer Port DynamicsNAV BCSERVER 7046 DynamicsNAV BCSERVER.corp 7046 HOST BCSERVER HOST BCERVER.corp
To add the HOST service, select Expanded, and then choose Add.
In the Add Services window, choose Users or Computers.
In the Enter the object names to select box, type the name of the computer that is running Business Central Server, in this case BCSERVER, and then choose the OK button.
In the list of available services, select HOST, and then choose the OK button.
To add the DynamicsNAV service, select Expanded, and then choose Add.
In the Enter the object names to select box, type the name of the user that is running the Business Central Server, and then choose the OK button.
Choose the OK button to close the dialog box.
Registering Service Principal Names for Business Central Server
When Business Central Server is using a dedicated domain user account as its logon account, then you must register service principal names (SPN) for the Business Central Server on the domain user account to make delegation work. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. To register SPNs, you used the setspn command-line tool that is available in Windows Server 2008 and Windows 7.
You do not have to perform this task if the domain user account has permissions to register SPNs. In this case, SPNs for Business Central Server will be automatically registered when Business Central Server instance starts and then unregistered when the Business Central Server instance stops. For information about how to configure the service account to register SPNs, see Provisioning the Service Account.
To create a service principal name
Using any computer in the network, open a command prompt as an administrator. To do this, choose Start, and then in the search window, type Command Prompt. Right-click Command Prompt, and then choose Run as administrator.
To view the registered SPNs for Business Central Server on the domain account, type the following command.
setspn -l domain\username
To view the registered SPNs for a specific computer, type the following command.
setspn -l domain\computername$
At the command prompt, create an SPN for the Business Central Server service using the following syntax.
setspn -A InstanceName/FullyQualifiedDomainNameOfServer:Port Domain\User
Replace InstanceName, FullyQualifiedDomainNameOfServer, Port, and Domain\ServiceAccountUserName with the appropriate values.
For example, if BCSERVER is the name of the computer that is running Business Central Server and BC140 is the instance name, the actual command has the following format.
setspn -A BC130/BCSERVER.corp:7046 corp\bcdomainuser
Configuring Kernel Mode Authentication on the Business Central Web Server
By default, Windows authentication on the Business Central Web Server site on IIS is set to use kernel mode authentication. Kernel-mode authentication improves authentication performance. However, when you are using delegation with Kerberos, you must either disable kernel mode or configure it to use the credentials of the application pool of Business Central Web Server; otherwise, authentication will fail and Business Central Web Server will not be able to connect to Business Central Server. This is because kernel mode authentication runs under the machine account of the computer that is running IIS and the Business Central Web Server, while the Business Central Web Server runs under the user account of the user trying to access Business Central.
As a best practice, you should configure kernel mode authentication to use the application pool credentials, as described in the following procedure.
To configure Kernel Mode Authentication to use the Application Pool Credentials
On the computer that you installed Business Central Web Server, open the applicationHost.config file for Internet Information Services in a text editor, such as Notepad. By default, the file is located in c:\Windows\System32\inetsrv\config.
<location path="Microsoft Dynamics 365 Business Central Web Client">element.
<windowsAuthentication enabled="true">element to the following.
<windowsAuthentication enabled="true" useAppPoolCredentials="true" />
Save the file.
Restart IIS. To restart IIS in a command prompt, do the following:
On the Start menu, choose Run.
In the Open box, type cmd, and then choose the OK button.
At the command prompt, type iisreset, and then press Enter.
You can also restart IIS using Internet Information Services Manager, if you have it installed.
To disable configure Kernel Mode Authentication
Open Internet Information Services Manager.
On the Start menu, in the Search Programs and Files box, type inetmgr, and then press Enter.
In the Connections pane, expand Sites, and then select Dynamics 365 Business Central Web client.
In the IIS section, double-click Authentication.
In the Authentication pane, choose Windows Authentication, and then choose Advanced Settings.
Clear the Enable Kernel-mode authentication box, and then choose the OK button.