Configure delegation for Business Central web server
When the client device, Business Central Web Server, and Business Central Server are on separate computers, the client device interacts with Business Central Server through the computer that is running Business Central Web Server. Business Central Web Server is performing actions on the client device's behalf. This process is known as impersonation. Impersonation can't be used across multiple computers, so you must set up delegation from Business Central Web Server to Business Central Server. Delegation occurs when Business Central Web Server forwards a request from a device request to the Business Central Server service so that the Business Central Server service can impersonate the device.
Delegating Access from the Web Server to the Server Instance
Registering Service Principal Names for Server Instance
This last task only applies to Business Central version 20 and earlier, and only if the service account for Business Central Server isn't configured to register SPNs (Service Principal Names) automatically.
Delegating Access from the Web Server to Business Central Server
Configuring delegation means explicitly configuring the computer that is running Business Central Web Server components to delegate its access to the Business Central Server on behalf of the device that is trying to connect to Business Central. To make the access more secure, you specify delegation to a specific service on a specific server. This concept is known as constrained delegation.
Note
You must run the following procedure on a domain controller computer or on a computer that is installed with Active Directory Domain Services tools.
Delegate access to Business Central Server
On the domain controller computer for your network, or on a computer installed with Active Directory Domain Services tools, select Start, and then select Run.
In the Open field, type dsa.msc.
This step opens the Active Directory Users and Computers utility.
Expand the node for the domain where you installed the Business Central. For this example, the domain is Corp.
Select the Computers node. Right-click the computer that is running the Business Central Web Server, and then select Properties.
On the Delegation tab, select Trust this user for delegation to specified services only, and then select Use Kerberos only.
Note
The Use Kerberos Only option does not work for some network configurations with Business Central. If you get a server error when you try open the Business Central Web Server, then disable the Use Kerberos Only option and see whether this fixes the error. Learn more about this error at Troubleshooting: A server error occurred and the content cannot be displayed.
You must add the following service entries for the computer that is running Business Central Server, where BCSERVER indicates the name of the computer that is running Business Central Server. The service entries depend on your Business Central version.
Version 21 and later:
Service type User or computer Port http BCSERVER Version 20 and earlier:
Service type User or computer Port DynamicsNAV BCSERVER 7046 HOST BCSERVER In the Add Services window, select Users or Computers.
In the Enter the object names to select box, type the name of the computer that is running Business Central Server, in this case BCSERVER, and then select the OK button.
In the list of available services, select HOST, and then select the OK button.
To add the DynamicsNAV service, select Expanded, and then select Add.
In the Enter the object names to select box, type the name of the user that is running the Business Central Server, and then select the OK button.
Select the OK button to close the dialog box.
Configuring Kernel Mode Authentication on the Business Central Web Server
By default, Windows authentication on the Business Central Web Server site on IIS (Internet Information Services) is set to use kernel mode authentication. Kernel-mode authentication improves authentication performance. However, when you're using delegation with Kerberos, you must either disable kernel mode or configure it to use the credentials of the application pool of Business Central Web Server. Otherwise, authentication will fail and Business Central Web Server won't be able to connect to Business Central Server. The reason is because kernel mode authentication runs under the machine account of the computer that is running IIS and the Business Central Web Server, while the Business Central Web Server runs under the user account of the user trying to access Business Central.
As a best practice, you should configure kernel mode authentication to use the application pool credentials, as described in option 1 that follows.
Option 1: Configure Kernel Mode Authentication to use the Application Pool Credentials (recommended)
On the computer that you installed Business Central Web Server, open the applicationHost.config file for Internet Information Services in a text editor, such as Notepad. By default, the file is located in c:\Windows\System32\inetsrv\config.
Locate the
<location path="Microsoft Dynamics 365 Business Central Web Client">
element.Change the
<windowsAuthentication enabled="true">
element to the following.<windowsAuthentication enabled="true" useAppPoolCredentials="true" />
Save the file.
Restart IIS. To restart IIS in a command prompt, do the following steps:
On the Start menu, select Run.
In the Open box, type cmd, and then select the OK button.
At the command prompt, type iisreset, and then select Enter.
Tip
You can also restart IIS using Internet Information Services Manager, if you have it installed.
Option 2: Disable configure Kernel Mode Authentication
Open Internet Information Services Manager.
On the Start menu, in the Search Programs and Files box, type inetmgr, and then select Enter.
In the Connections pane, expand Sites, and then select Dynamics 365 Business Central Web client.
In the IIS section, double-click Authentication.
In the Authentication pane, select Windows Authentication, and then select Advanced Settings.
Clear the Enable Kernel-mode authentication box, and then select the OK button.
Registering Service Principal Names for Business Central Server
When Business Central Server is using a dedicated domain user account as its logon account, then you must register service principal names (SPN) for the Business Central Server on the domain user account to make delegation work. An SPN is the name by which a client uniquely identifies an instance of a service, using the account under which the service runs. To register SPNs, you used the setspn command-line tool that is available in Windows Server 2008 and Windows 7.
Note
For Business Central 2022 Wave 1 (verision 20) and earlier, you do not have to perform this task if the domain user account has permissions to register SPNs. In this case, SPNs for Business Central Server will be automatically registered when Business Central Server instance starts and then unregistered when the Business Central Server instance stops. Learn more about how to configure the service account to register SPNs in Provisioning the Service Account.
Create a service principal name
Using any computer in the network, open a command prompt as an administrator. To do this step, select Start, and then in the search window, type Command Prompt. Right-click Command Prompt, and then select Run as administrator.
To view the registered SPNs for Business Central Server on the domain account, type the following command.
setspn -l domain\username
To view the registered SPNs for a specific computer, type the following command.
setspn -l domain\computername$
At the command prompt, create an SPN for the Business Central Server service using the following syntax.
For Business Central 2022 Wave 1 (version 20) and earlier:
setspn -A DynamicsNAV/FullyQualifiedDomainNameOfServer:Port Domain\ServiceAccountUserName
For Business Central 2022 Wave 2 (version 21) and later:
setspn -A http/FullyQualifiedDomainNameOfServer Domain\ServiceAccountUserName
Replace
FullyQualifiedDomainNameOfServer
,Port
, andDomain\ServiceAccountUserName
with the appropriate values.For example, if BCSERVER is the name of the computer that is running Business Central Server, the actual command has the following format.
setspn -A DynamicsNAV/BCSERVER.corp:7046 corp\bcdomainuser
Related information
Business Central Web Server overview
Installing Business Central in a two computer environment
Installing Business Central in a three computer environment