Outlook Integration & Webservice - Error 401

davonessdavoness Member Posts: 22
edited 2015-01-29 in NAV Three Tier
Hi All

I am configuring Outlook Integration using Web Services and have hit an error. A summary of my configuration is:

Two machines, both running Windows Server 2008 on same domain. One is the DB/NAV Server (SERVER) and one is the Remote Desktop server (CLIENT)
SQL Server and NAV Server/NAV Web Service all on same machine (SERVER)
NAV Classic, NAV RTC also on SERVER
NAV Classic, NAV RTC and Outlook on machine 2 (CLIENT)
On SERVER, all of the SQL Server, NAV Server Service & NAV Web Service are running on a Domain Admin account.
All services start fine with nothing in the Application Log
I have completed the steps in "Enabling Object Change" for this Admin account
RTC works fine connecting to the DB from both SERVER and CLIENT
In the relevant company I have ticked 'Publish' on the Outlook Integration Web Service
When I go to check services by going to http://localhost:7047/DynamicsNAV/WS/services on SERVER I see the list as expected, including the Outlook one
When I replace this with http://SERVER:7047/DynamicsNAV/WS/Services, I get a windows authentication window pop up, where no credentials (all the various admin accounts) will work
When I try to go to http://SERVER:7047/DynamicsNAV/WS/Services from CLIENT, I get the same (ie Windows authentication message)
When I try to get the Company List in the Outlook Synch Settings I get the attached error message (401 Authentication error)

Everywhere I have seen help on this error (the 401 error in Outlook Sync) it points to issues of delegation as the NAV Server & SQL Server are on different machines. Not applicable in this case! Does anyone have any hints?

Comments

  • davonessdavoness Member Posts: 22
    PS

    I am using NAV 2009 SP1 GB version, SQL 2008, and Outlook 2007.
    Something else I have found and checked is that the SQL Server in question is ticked "Allow Remote Connections to this Server" in its properties.
    Also key="WebServiceSSLEnabled" value="false"
    and the Admin service account has Full Control over the Services folder
    The account in use on CLIENT is a Windows Login with SUPER in the NAV DB
    The Admin account on the SERVER is a Windows Login with SUPER in the NAV DB

    The output for http://localhost:7047/DynamicsNAV/WS/services from SERVER is
    - <discovery xmlns="http://schemas.xmlsoap.org/disco/&quot; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance&quot; xmlns:xsd="http://www.w3.org/2001/XMLSchema"&gt;
    <contractRef ref="http://localhost:7047/DynamicsNAV/WS/SystemService&quot; xmlns="http://schemas.xmlsoap.org/disco/scl/&quot; />
    <contractRef ref="http://localhost:7047/DynamicsNAV/WS/Codeunit/DynamicsNAVsynchOutlook&quot; xmlns="http://schemas.xmlsoap.org/disco/scl/&quot; />
    </discovery>

    The Authentication popup for http://aplgwsql4:7047/DynamicsNAV/WS/services from SERVER is attached
  • davonessdavoness Member Posts: 22
    Some further info...

    When I attempt to connect to the 'localhost' Services URL there is nothing placed in the Event Logs
    When I attempt to connect to the 'SERVER' Services URL, from the SERVER machine and enter credentials, I get an "Audit Success" followed by an "Audit Failure" log in the Security Log. These are below
    In the System Log I get an error (not everytime, only got it once when I tried to go the the URL 6 times) which is right at the end

    Security Log Audit Success:
    A logon was attempted using explicit credentials.

    Subject:
    Security ID: APWORLD\tstone
    Account Name: tstone
    Account Domain: APWORLD
    Logon ID: 0x44f5110
    Logon GUID: {8a5aa0e5-6992-3253-0822-8e3ff8f40ce3}

    Account Whose Credentials Were Used:
    Account Name: tstone
    Account Domain: APWORLD.AIRPARTNER.COM
    Logon GUID: {42901567-a38e-7891-9334-99887a6df52b}

    Target Server:
    Target Server Name: APLGWSQL4.apworld.airpartner.com
    Additional Information: HTTP/APLGWSQL4.apworld.airpartner.com

    Process Information:
    Process ID: 0x157c
    Process Name: C:\Program Files (x86)\Internet Explorer\iexplore.exe

    Network Information:
    Network Address: -
    Port: -

    This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

    Security Log Audit Failure:
    An account failed to log on.

    Subject:
    Security ID: NULL SID
    Account Name: -
    Account Domain: -
    Logon ID: 0x0

    Logon Type: 3

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name:
    Account Domain:

    Failure Information:
    Failure Reason: Unknown user name or bad password.
    Status: 0xc000006d
    Sub Status: 0xc000006a

    Process Information:
    Caller Process ID: 0x0
    Caller Process Name: -

    Network Information:
    Workstation Name: -
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

    System Log Error
    The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was HTTP/APLGWSQL4.apworld.airpartner.com. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (APWORLD.AIRPARTNER.COM) is different from the client domain (APWORLD.AIRPARTNER.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.
  • davonessdavoness Member Posts: 22
    Hi All

    Thanks to the boys at Microsoft this is sorted. We did two things to fix it...

    1) Added SPNs for
    HTTP/FullyQualifiedDomainNameOfNavWebServiceServer
    HTTP/NameOfNavWebServiceServer
    in AD to the account the services were running as

    2) Added the Server to the "Local Intranet Sites" list in Internet Explorer on the client & server machines

    All fixed!
  • BarzogBarzog Member Posts: 5
    Hey, I'm having a similar issue (I'm getting the Kerberos error in the system log), so I just wanted to clear up if the http/Servername and the other SPN is specified with the port aswell, ie "http/FQDN:7047" or just on "http"?

    Kaz
  • tinoruijstinoruijs Member Posts: 1,226
    davoness wrote:
    In the relevant company I have ticked 'Publish' on the Outlook Integration Web Service
    When I go to check services by going to http://localhost:7047/DynamicsNAV/WS/services on SERVER I see the list as expected, including the Outlook one

    I've searched for Outlook Synchronization setup in NAV 2015, but haven't found documentation.
    How do I 'Publish' the Outlook integration web service?
    I've got webservices running, but I don't see DynamicsNAVsynchOutlook.
    How do I install/get this?

    Thanks in advance.

    Tino Ruijs
    Microsoft Dynamics NAV specialist
  • tinoruijstinoruijs Member Posts: 1,226
    Found it.
    "The service name is visible to consumers of your web service and is the basis for identifying and distinguishing web services, so you should make the name meaningful. If you are setting up integration with Microsoft Outlook using codeunit 5313, then you must use DynamicsNAVsynchOutlook as the service name."

    The "Outlook integration" web service is a web service on codeunit 5313. This codeunit is called "Outlook Synch. Dispatcher". Which is easiest to name DynamicsNAVsynchOutlook because this is the default in the settings in Outlook.
    Would be much more logical to name the setting in Outlook OutlookSynchDispatcher.

    Tino Ruijs
    Microsoft Dynamics NAV specialist
Sign In or Register to comment.