Service Principle Names for Microsoft Dynamics NAV 2009

With its introduction in Microsoft Dynamics NAV 2009, the Role Tailored Client (RTC) has brought much joy to everyone at Tecman, with its friendly user interface, customisation options and added functionality.

One down side, however, is that NAV 2009’s 3 tier setup, with the new service tier between the client and the server, makes setup slightly more involved.

Microsoft provide a pretty comprehensive walkthrough online and in the NAV help, but I’ll cover some of the basics and points that aren’t covered in the official documentation.

Security between the RTC and the service tier uses Kerberos. We don’t need to know anything about how this works, other than that it relies on knowing the domain user account at either end of the connection. The RTC obviously knows the domain user running at the client end, but has no way of knowing which account is running the service tier (Microsoft Dynamics NAV Server service). This is where service principle names (SPNs) come in.

The service principle name links a specific service, running on a specific machine and port to a domain account. We can use an SPN to tell the RTC the domain account that is running the service tier service. The RTC can then authenticate using Kerberos.

SPNs can be created using the setspn command, with the following syntax:

setspn –a [Service Tier Instance Name]/[Server Name]:[Service Tier Port] [Domain]\[User]

for example,

setspn –a DynamicsNAV/MiddleTierServer:7046 TECMAN\Administrator

Note that if you are setting up an SPN for NAV 2009 pre service pack 1 then you need to use the fully qualified domain name of the server instead e.g.

You can delete an SPN by replacing the –a with –d in the above command or list the SPNs set against a domain account with:

setspn –l [Domain]\[User]


All of the above is for setting up the RTC to connect to the service tier, but the same principle applies for the web services. You can test the web services by visiting the following URL with Internet Explorer (replace the server, port and instance name as appropriate).


Internet Explorer should authenticate using Kerberos and provide a list of the available services (other browsers won’t do this), but if you get a prompt for username and password you’ll need to set an SPN for the web services.

The syntax for this is:

setspn –a HTTP/[Fully Qualified Domain Name of Server] [Domain]\[User]

for example,

setspn –a HTTP/ TECMAN\Administrator

Leave a Reply