Have you ever tried to create a NAV 2009 Server service that runs under a domain account and when you try to start it, the service starts and them immediately stops again.

Then, if you look in the Windows Event Log for the error message you see something like this…

The service MicrosoftDynamicsNavServer$DynamicsNAV failed to start. This could be caused by a configuration error. Detailed error information:System.ServiceModel.CommunicationException: The service endpoint failed to listen on the URI 'net.tcp://vm-dev-100118.rad.intergen.org.nz:7046/DynamicsNAV/Service' because access was denied.  Verify that the current user is granted access in the appropriate allowedAccounts section of SMSvcHost.exe.config. ---> System.ComponentModel.Win32Exception: Access is denied

I’ve had this a few times and my sledgehammer solution has been to make the domain account that is running the service a member of the local machine Administrators group. OK, I realise this is overkill but it works.

Today I finally took the time to figure out the correct way of granting the permissions to the domain account to allow it to listen on the specified port.

First of all we need to know the SID for the domain account. There may be other ways to find this out, but here is a suggestion that works:

1. Start a command prompt running under the context of the user you want to know the SID for by typing runas /user:domain\nav2009nstuser cmd.exe in a command prompt where domain is your domain and nav2009nstuser is the account that is running the NAV Server Tier.
2. The system will prompt for the nav2009nstuser password.
3. A new command prompt opens and you will notice in the title of the window it says cmd.exe (running as domain\nav2009nstuser).
4. In this new command window type whoami /user
5. You will see the SID of the user account. Copy this as you will need it in the next step.

These instructions are meant to work on Windows 7, so apologies if some of these things don’t work for you.

Now you need to edit the C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config file or the C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe.config file.

The file includes a <runtime> element and beneath that a commented out section that shows what to include for the net.tcp permissions we want to add. Insert the following section below the </runtime> closing tag and before the start of the comment as so that part of the file looks like this…

</runtime>
<system.serviceModel.activation>
    <net.tcp listenBacklog="10" maxPendingConnections="100" maxPendingAccepts="2" receiveTimeout="00:00:10" teredoEnabled="false">
        <allowAccounts>
            <add securityIdentifier="S-1-1-1 this is your SID"/>
        </allowAccounts>
    </net.tcp>
</system.serviceModel.activation>
<!-- Below are some sample config settings:   

replacing S-1-1-1 this is your SID with the correct SID you found in the previous step.

Now reboot the machine (restarting the service is not enough).

Your service should now start correctly. Thanks to Dominick Baier who posted on http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/b1cc46af-a70d-4793-b5fe-b61450ef5387 which gave me the info I needed to get this working.