How to: Configure Web Services with Delegation

Note

This topic requires that you have successfully completed the procedures in the Walkthrough: Installing the Three Tiers on Three Computers topic, which describes how to install and configure Microsoft Dynamics NAV 2009 in a production environment on three computers.

This topic extends installing three tiers on three computers by adding a Web services client. This client communicates with the database through the Microsoft Dynamics NAV Business Web Services service, which is a Windows service that is automatically installed when you install Microsoft Dynamics NAV Server. After installing Microsoft Dynamics NAV Server, you can see the Microsoft Dynamics NAV Business Web Services service listed just above Microsoft Dynamics NAV Server in the Windows services tool:

Services associated with Dynamics NAV Server

These two services use the same process in Windows and must always run using the same account. Because you have already configured Microsoft Dynamics NAV Server to log on using a dedicated domain user account, you must configure the Microsoft Dynamics NAV Business Web Services service to log on with the same dedicated domain user account. For more information, see How to: Configure Windows Services.

Note

You can create multiple Microsoft Dynamics NAV Web services server on a single computer. For details, see "Creating a Second Web Services Server on a Single Computer" in Walkthrough: Accessing Multiple Microsoft Dynamics NAV Databases from a Single Microsoft Dynamics NAV Server Computer. Also see Creating a web service manually, the importance of the name you give it, and a few small things to remember on the Microsoft Dynamics NAV Team Blog.

Configuring Web Services for Delegation

After you start the Microsoft Dynamics NAV Business Web Services service, you will create two service principal names (SPN) for the service. To make delegation more secure, Active Directory uses Kerberos to authenticate services. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. You must create two SPNs for the Microsoft Dynamics NAV Business Web Services service:

  • One for URLs that use the fully qualified domain name of the server.

  • One for URLs that use the Net BIOSname.

Note

This procedure uses the httpcfg tool for configuring the HTTP server. When you install Microsoft Dynamics NAV Server, Setup puts a copy of httpcfg.exe in the Microsoft Dynamics NAV Server directory. By default, this directory is C:\Program Files\Microsoft Dynamics NAV\60\Service.

To configure Microsoft Dynamics NAV Web services for delegation

  1. Open an elevated command prompt. Click Start, and in the search window, type Command Prompt.

  2. Right-click Command Prompt, and then click Run as administrator.

  3. At the command prompt, use the setspn command to create two SPNs for the Microsoft Dynamics NAV Business Web Services service. The syntax is:

    setspn -A http/NameOfServer Domain\User
    

    The http/ indicates that the SPN is for the Web services server.

    1. The first setspn command, using the fully qualified domain name of the server, has this format:

      setspn -A http/NAVSERV.yourDomain.yourCompany.com yourDomain\yourUser
      

      Replace NAVSERV with the name of the computer running Microsoft Dynamics NAV Server, and replace yourCompany, yourDomain, and yourUser with the actual company, domain, and user account names.

    2. The second setspn command excludes the company and domain from the server address:

      setspn -A http/NAVSERV yourDomain\yourUser
      

      This SPN accommodates Web services clients that connect using the NetBIOS name of the server.

  4. Use httpcfg to register the access control list (ACL) that is associated with the Web service URL for the domain user. An ACL is part of the Windows security infrastructure. For details, see Access Control Lists.

    httpcfg delete urlacl –u http://+:7047/DynamicsNAV/
    httpcfg set urlacl -u http://+:7047/DynamicsNAV/ -a D:^(A;^;GX^;^;^;<security identifier>)
    

    Replace <security identifier> with the actual security-identifier attribute (SID) for the account. A security identifier is a unique value of variable length used to identify a user or group account. For details, see Security Identifiers.

    Note

    If you have previously configured Microsoft Dynamics NAV Web services to use SSL, use "https" in the two httpcfg commands instead of "http". For more information, see Walkthrough: Configuring Web Services to Use SSL.

  5. Close the command prompt.

  6. In Control Panel, click Administrative Tools, and then click Services.

  7. In the list of services, scroll down to Microsoft Dynamics NAV Business Web Services.

  8. Double-click to open the Properties dialog box for this service, and then click Start.

    Note

    The Microsoft Dynamics NAV Business Web Services service is not configured to start automatically when you start the computer. If you want this service to start automatically, in the Properties dialog box for this service, on the General tab, select Automatic as the value for Startup type.

    Your Web service clients should now be able to connect with Web services on the computer running Microsoft Dynamics NAV Server to your SQL Server database on a separate computer.

See Also

Other Resources

Working with Web Services