How To: Set Up Delegation
When the RoleTailored client, Microsoft Dynamics NAV Server, and SQL Server are installed on separate computers, the client interacts with the database through an intermediate computer, which is running Microsoft Dynamics NAV Server. The server is performing actions on the client's behalf. This process is known as impersonation.
Delegation is when a front-end service forwards a client request to a back-end service so that the back-end service can also impersonate the client. Impersonation is typically used to check whether a client is authorized to perform a particular action, while delegation is a way of flowing impersonation capabilities, along with the client’s identity, to a back-end service. You can use delegation as a Windows domain feature with Kerberos-based authentication.
As a domain administrator, you must perform the following tasks to enable delegation within the three-tier RoleTailored architecture for configurations where the RoleTailored client, Microsoft Dynamics NAV Server, and SQL Server are on separate computers:
Creating service principal names
Delegating access to the SQL Server service
When the RoleTailored client and Microsoft Dynamics NAV Server are on different computers, file operations that are initiated from the RoleTailored client, such as RENAME and COPY, fail if the destination for the file operation is not on the computer running Microsoft Dynamics NAV Server. One solution is to configure Microsoft Dynamics NAV Server to delegate on behalf of the RoleTailored client as described in this topic. In this case, you may also need to configure Microsoft Dynamics NAV Server to delegate to the cifs service on the destination computer. To avoid this complication entirely, define file operations so that the destination is always on the computer running Microsoft Dynamics NAV Server. You can then use a shared folder on the computer running Microsoft Dynamics NAV Server and share it with all users who require access to the files.
If your implementation is not working as expected after following the instructions in this topic, then you can use the Best Practices Analyzer for Microsoft Dynamics NAV 2009 (requires PartnerSource login). Install this diagnostic tool on your computer running Microsoft Dynamics NAV Server to help identify configuration issues that may be preventing your three-tier deployment of Microsoft Dynamics NAV from working correctly.
Creating Service Principal Names
The first step in setting up delegation is to create any necessary service principal names (SPN). To make delegation more secure, Active Directory uses Kerberos to authenticate services. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. To make delegation work, you must explicitly create an SPN when either the Microsoft Dynamics NAV Server service or the SQL Server service is running under a dedicated domain user account. We recommend using a dedicated domain user account for the highest security.
You must have the setspn command-line tool installed on your server. In Windows Server 2008, the setspn tool is included if you have installed the Active Directory Domain Services server role. In Windows Server 2003, you must download the Windows Server 2003 Service Pack 2 32-bit Support Tools to get the setspn tool.
To create a service principal name
Open an elevated command prompt. Click Start, and in the search window, type Command Prompt.
Right-click Command Prompt, and then click Run as administrator.
At the command prompt, create the SPN. The syntax is:
setspn -S InstanceName/FullyQualifiedDomainNameOfServer:Port Domain \User
If your version of setspn.exe does not recognize -S, retry the command using -A. See Walkthrough: Installing the Three Tiers on Three Computers for an example of how to create SPNs when deploying Microsoft Dynamics NAV.
Delegating Access to the SQL Server Service
Configuring delegation means explicitly configuring the Microsoft Dynamics NAV Server service to delegate its access to the database server on behalf of the RoleTailored client. To make the access more secure, you specify delegation to a specific service on a specific server.
To delegate access to the SQL Server service
On any server computer in the domain, click Start, and then click Run.
In the Open field, type dsa.msc.
This opens the Active Directory Users and Computers utility.
To configure delegation, the functional level for the domain must be Windows Server 2003 or higher. To verify the domain functional level, right-click the node for the domain where you have installed Microsoft Dynamics NAV, and then click Raise Domain Functional Level. If the level is not at least Windows Server 2003, then raise it to that level.
Right-click the node for the domain where you have installed Microsoft Dynamics NAV, and then click Find.
In the Find Users, Contacts, and Group dialog box, type the name of the domain user in the Name field, and then press ENTER.
In the Search results area, right-click the domain user, and then click Properties.
On the Delegation tab, click Trust this user for delegation to specified services only, and then click Use Kerberos only.
Click Add to open the Add Services dialog box.
In the Add Services window, click Users or Computers, and then type the name of the domain user.
In the list of services for the domain user, click MSSQLSvc, which is the name of the SQL Server service.
Click OK to exit the Add Services dialog box.
Click OK to close all open dialog boxes.