Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. Delegation errors when working with file shares in the Microsoft Dynamics NAV RoleTailored client

Delegation errors when working with file shares in the Microsoft Dynamics NAV RoleTailored client

View products that this article applies to.

Symptoms

When you try to access files on a file share, the Microsoft Dynamics NAV Server throws an authentication error, and the SQL Server Error log shows the following error message: Login failed for user "NT AUTHORITY\ANONYMOUS LOGON"The symptoms described in this article occur in the following scenario:
  1. Microsoft Dynamics NAV is running in a 3-tier installation, i.e. the NAV Server and SQL Server are on different machines. 
  2. C/AL code is trying to access files, which are on a file share on a machine other than the one the NAV Server is running on.
  3. The account that is running the NAV Server is set up for constrained delegation. 
    Note: If the account is set up to be allowed to delegate to any services, then any symptoms you see will not be explained by this article.
Note:
The most likely reasons for receiving authentication errors are missing SPNs or delegation setup. You must also give the account running the NAV Server permissions to delegate to the HOST and CIFS Services on the machine where the file share is. This article assumes that all this has already been set up correctly; yet the authentication problem still exists.

↑ Back to the top

Cause

When available, Microsoft Windows Server 2008 uses a protocol for file sharing called SMB2. Previous versions of Windows used SMB1. Windows Server 2008 still fully supports SMB1 for communicating with older versions of Windows, but in cases where both the requesting machine and the machine that hosts a file share support SMB2, the SMB2 protocol will be used.

A limitation for SMB2 is that it is not able to handle constrained delegation. Therefore, when the NAV Server is set up for constrained delegation and tries to perform a file operation using SMB2, the action will fail with a permission error.

↑ Back to the top

Resolution

To resolve this problem, either do not use constrained delegation, or disable SMB2 on the machine that hosts the file share. Disabling SMB2 can be done by creating a REG_DWORD-key in registry called Smb2 under this key:

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
  • Set the key value to 0
Note: If you perform the SMB2 Server functionality registry change above, SMB2 based computers that had an active SMB2 session with the file server will no longer be able to re-establish the session over SMB1 until a restart of the computer or restart of the workstation service.


More details about this can be found at this link:
http://blogs.technet.com/b/askperf/archive/2008/05/30/two-minute-drill-overview-of-smb-2-0.aspx

↑ Back to the top

More Information

The best tool for identifying if the SMB2 protocol is being used, is Microsoft Network Monitor. If you collect a Network Monitor trace, the trace will show whether SMB1 or SMB2 was used. In the column "Protocol Name", Network Monitor will show "SMB" if SMB1 is used, or "SMB2" if SMB2 is being used.

↑ Back to the top

Keywords: kbmbspartner, kbmbsmigrate, kbsurveynew, kb

↑ Back to the top

Article Info
Article ID : 2621984
Revision : 1
Created on : 1/7/2017
Published on : 9/30/2011
Exists online : False
Views : 553