Hello GP Community,

This article compiles the solutions to common problems relating to Web Client, I have broken down the errors based on type of error.

  • HTTP Errors
  • Login Errors
  • Correlation/Event Viewer Errors
  • Additional Tips

I have also included:

  • Web Client Pre-Requisites
    • Server Roles and Features
    • Server Certificate Installation (Self-signed & Wild Card)
    • Active Directory Groups
  • How to install Web Client
  • Recommended Steps for Uninstalling/Reinstalling Web Client
  • Web Client Logs and how to capture them.

HTTP Errors

401.1 Access Denied on Web Management Console

  • https://community.dynamics.com/gp/b/dynamicsgp/archive/2014/10/20/401-1-access-denied-on-web-management-console-automatic-web-client-login-not-working

401.2: Unauthorized:  Access Denied due to Invalid Credentials

  • when trying to log into Web Management Console
  • Make sure users are added to the Web Client Admin Group in Active Directory


HTTP Error 500.19

  • Double Check that all IIS Pre-Requisites are installed (See Pre-Requisites below)


HTTP Error 503. The service is unavailable.

This indicates an issue with the App Pools, the identity used by the App Pools does not have correct permissions or an issue with the URL Reservation.

Cause 1: The App Pools for Web Client are not running.

Resolution 1: Use the following steps to check.

  1. Make sure both the DynGPWebApp and DynGPWebMgmt application pools are started.
  2. Open IIS, then go to the application pools and check to make sure they are started.
    1. If they are not, right-click on the application pool, then click Start.

 ----------------

Cause 2: The identity used by the application pools does not have sufficient rights.

Resolution 2: The account that is used for the AppPool in IIS needs to have "Logon as a Batch Job" and "Log on Locally" rights or be a member of the Local Administrators Group.

---------------

Cause 3: Extra URL Reservation added to IIS Server.

Resolution 3:     Use the following steps.

  1. Open CMD as Administrator
  2. Run: netsh http show urlacl
  3. Do you have a reservation for https://+:443/ ?  If so we need to remove this.
  4. Run: netsh http delete urlacl url=https://+:443/
  5. Run: iisreset
  6. Restart application pools
  7. Restart GP Session Central Service and GP Session Service Services
  8. Test again.


End Point not found or There was no endpoint listening

  • Make sure that the GP Session Central Service and the GP Session Service Services are running.
  • If they will not start, the best option is to uninstall/reinstall completely.
  • If the issue continues after a reinstall try the following:

    Review the SessionService.config file located at C:\Program Files\Microsoft Dynamics\GP Web Components\SessionService by default for the following line:

    Then restart the Session Central and Session Service services

Login Errors

Web Client user can login, but errors are showing up in SQL error log

The Runtime Service uses the FQDN if it is a self-signed certificate or one created in CA. If using a third-party certificate, you could potentially have it setup.

The fact that your users can login to Web Client but get prompted for the GP login window means that Identity Management is not setup correctly. The 3 parts of this setup is:

  1. In GP Utilities, you create a proxy login which then gets created in SQL with the DYNGRP role assigned for all system and company databases for GP.
  2. When installing Web Client, this exact proxy login and password needs to be entered in the GP Configuration window, which shows the paths to your GP code directory, Dex.ini and Dynamics.set file.
  3. Lastly, in the User Setup window in GP, the GP logins need to be tied/associated to the Windows account they are logging into Web Client's initial login window as.

If this is all setup correctly, then yes, when the user logs onto Web Client using their Windows account, it should see they are tied to a GP login and log them into the GP application automatically as that user, only seeing a company selection window if they have access to more than one GP company.

I'd verify the above 3 settings again, as most likely they are not correct. I'd also recommend not copying/pasting user ids and passwords as well, as I've seen that not always work.

When attempting to log into Web Client: A problem occurred creating a session. Please try again later or contact your administrator.

  • Make sure Web Client Runtime is installed on the Web Client Server.

"The username and password supplied are not valid credentials for using Microsoft Dynamics GP. "

  • Make sure the login user has assigned to web client users group.
  • If you have reinstalled/installed multiple times, you will want to follow the steps above for Uninstalling and Reinstalling Web Client.

Logon failure: the user has not been granted the requested logon type at this computer

  • Log on as a batch - service account for web client.
  • Log on as a service - service account for web client.
  • Allow Log on locally - Users need to be able log into the server.  Add the Web Client User Group to this option.

You are not allowed to use Microsoft Dynamics GP. Please sign out and sign in with an authorized account

The error means that the user account the user is signing in as is not on the list of allowed Web Client users.

The list of allowed users can be found by running a repair of the Web Client, or running this script against the GPConfiguration database (usually on the same SQL Server as GP):

  Select * from [GPCONFIGURATION]..[ServiceSecurity] where GroupID like '%GPWebUserAccounts%'

This should return results like this:

This result means the Dyn-gp-kb group should have access to my Web Client. The user would need to be add to that group within AD, and would need to make sure to enter in their Domain/username and not just username when logging into the Web Client.

If a user/group needs to be added to the list, a repair of the Web Client would be required.

After logging into Web Client, immediately get in Red Bold type:

Error:
An error has occurred processing this request.

If there are no errors in the Event Viewer on the Web Client Server or on the local computer where you are getting the message.

  • This can be caused by unsupported special characters in the Users AD Password.
  • Permission Error - Add Web Client User AD Group to Local Security Policy - Allow Log on Locally
  • Make sure the service account for the Application Pools and for the GP Session Central/Session Services are added to the following Local Security Policies
    • Allow Log on Locally
    • Log on as a Batch
    • Log on as a Service
  • After making these changes
    • Open Command Prompt as Admin and run iisreset.
    • Restart GP Session Central Service
    • Restart GP Session Services Service

You are able to login but are stuck at a GP Splash page, the shows just the Microsoft Dynamics GP logo.

  • Make sure Web Client Runtime is installed on the Web Client Server.
  • Make sure you are using the FQDN that matches the Certificate for the site.

Organizational Account Login Considerations

If you are using Organizational Accounts (as opposed to Windows Authentication) in your Web Client deployment you may find that you are forced to stop at the Dynamics GP User Login window when logging into the Web Client.  Since you cannot assign an Organizational Account to your Dynamics GP users in the Desktop Client it will have to be done in the Web Client.  This means that the very first Web Client login will need to be done using a GP user (e.g. sa).  You can then navigate to the User Maintenance window and tie Org Accounts to each GP User as appropriate.  After that the Identity Management feature should work and allow you to go from the Web Client login window directly to Company Selection or even straight into the Web Client session if you have a company remembered.  For more information on using Organizational Accounts with the Dynamics GP Web Client you can refer to the following article:

Dynamics GP 2018: Organizational Accounts and Workflow

CorrelationID/Event Viewer Errors

A problem occurred creating a session. See the Session Central Service logs for more information.

  • Make sure WebClient Runtime is installed


Session Central Service was not able to successfully communicate with the session service

The user has not been granted the requested logon type at this computer

  • Grant the Web Client User Group to be a local admin on the server
  • Or Open Local Security Policy on the Server, navigate to Allow log on locally, then add the Web Client User Group.


System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

  • Reinstalled Dynamics GP Web Client


The target principal name is incorrect. Cannot generate SSPI context. Unexpected error occurred when logging in

  • Cause: Windows 15 Character limit on Machine name
  • Resolution:  Review the name of your machine with what Web Client is looking for.
    Review the service configuration to the actual name of your machine. (Start>>Right click on Computer and select properties.) With windows, there is a restriction on the character limit for your machine name. There is a Windows restriction that states that anything after the 15th character in the name of the server is a suffix and is basically dropped.  If you are over this limit, unfortunately you will need to rebuild the machine or VM with a new name.

A problem occurred creating a session.  Please try again or contact an administrator.  The following session host was not found in Session Central.

  • Cause: SQL Services were running under domain credentials rather than local service accounts.
  • Resolution:  Switch the SQL Services back to a local service account.  (Network Service Account)


Sever cannot set status after HTTP headers have been sent

  • Make sure you are using the FQDN for the site.
  • Confirm that the SSL Certificate is install in the Trusted Root Certificate store on each workstation connecting to web client.
  • Confirm that you have all pre-requisites installed on the Web Client Server.
  • Confirm that Session Service is running.


A loader exception has occurred.

Loader Errors:

Microsoft.Dynamics.Security.InvalidSecurityContextException: Microsoft.Dynamics.Security.NonExistentSecurityObjectException : The security object does not exist.  Key = 25cc1a21-2cc4-4b13-a1c8-eea186fb688a

  • Uninstall/Reinstall Web Components

An error occurred while processing your request.  An unauthorized attempt to call the ReportSessions operation on Session Central was made by DOMAIN\asmith user.

This error can indicate a user has been deleted from Active Directory but was still in the ServiceSecurity table in GPCONFIGURATION.  Delete record in GPCONFIGURATION.

Additional Tips

Images are not appearing on homepage.

  • Grant permissions to C:\Program Files\Microsoft Dynamics


If you wanted to mass delete sessions: This post may be of use to you.

https://community.dynamics.com/gp/b/gpmohammad/archive/2014/12/07/dynamics-gp-web-client-kill-all-web-client-sessions

Web Client Pre-Requisites

IIS Pre-Requisites

  1. Add Roles and Features
  2. Web Server IIS under Server Roles must include the following selections:
    1. Web Server
      1. Common HTTP Features
        1. Default Document
        2. Directory Browsing
        3. HTTP Errors
        4. Static Content
        5. HTTP Redirection
      2. Health and Diagnostics
        1. HTTP Logging
        2. ODBC Logging
      3. Performance
        1. Static Content Compression
      4. Security
        1. Request Filtering
        2. Windows Authentication
  3. Under Features - Confirm Selections for .NET Framework
    1. .NET Framework 3.5 Features
      1. .NET Framework 3.5 (includes .NET 2.0 and 3.0)
      2. HTTP Activation
    2. .NET Framework 4.6 Features
      1. .NET Framework 4.6
      2. ASP.NET 4.6
      3. WCF Services
        1. HTTP Activation
        2. TCP Port Sharing


Check Certificate Installation (Self Signed Certificate)

  • https://docs.microsoft.com/en-us/dynamics-gp/web-components/security-certificates-and-ssl
  1. Start -> Manage Computer Certificates
  2. Needs to be in Personal -> Certificates
  3. Must have a Friendly name
    1. Friendly name cannot contain spaces or special characters
  4. Confirm the Certificate shows the following if you have a private key for the certificate


Check Certificate Installation (Wild Card Certificate)

  • https://docs.microsoft.com/en-us/dynamics-gp/web-components/security-certificates-and-ssl
  1. Start -> Manage Computer Certificates
  2. Needs to be imported to the following:
    1. Personal -> Certificates
    2. Third-Party Root Certification Authorities -> Certificates
    3. Web Hosting
  3. Must have a Friendly name
    1. Friendly name cannot contain spaces or special characters
  4. Confirm the Certificate shows the following if you have a private key for the certificate


Open IIS

  1. Click on the Server
    1. Open Server Certificates
    2. Confirm your certificate is showing with the friendly name
  2. Click on the Site
    1. Click on Bindings (on far right side of the screen)
    2. Add https and attach your Certificate
      1. Leave the Host name blank.

Active Directory Groups

  • https://docs.microsoft.com/en-us/dynamics-gp/web-components/security-groups-and-user-accounts

You will need to have 2 Active Directory Groups setup

  1. A group for Web Client Users
    1. This group will be able to log into Web Client
  2. A group for Web Client Administrators
    1. This group will be able to log into Web Management Console

Install Dynamics GP with Web Client Runtime option

  • Confirm you are able to log into GP

At this point, you have all necessary Pre-requisites in place and will be able to install Web Client.

How to install Web Client

  • https://docs.microsoft.com/en-us/dynamics-gp/web-components/scale-out-installation
  • Only install the Certificate where it is required.

Recommended Steps for Uninstalling/Reinstalling Web Client.

  1. Uninstall GP Web Components
  2. Delete the GPCONFIGURATION database.
  3. Restart the IIS server
  4. Delete GP Web Components from C:\Program Files\Microsoft Dynamics
  5. Install Web Client
    1. For Session Central and Session Services, do not bind the SSL to those services as it is optional.
  6. Log into Web Client.
  7. Log into WebMangementConsole

Helpful logs when troubleshooting errors logging in or inside web client.

  • Runtime Log
  • Script Log
  • Timing Log
  • SQL Log

To capture these logs open Web Management Console and Web Client.

  1. Log into Web Client with AD User, but do not log into GP with SQL creds yet.
  2. Log into Web Management Console
    1. Under Session Choose the new session
    2. Click on Logging
    3. Choose all 4 options
    4. Click okay
  3. Now back on the Web Client tab, log in with the HR user creds to GP.
  4. Let Web Client run till it errors out or you know it is done processing.
  5. Back to the Web Management Console Tab
    1. Click on the session again
    2. Click on Logging
    3. Uncheck all options
    4. Click okay.

The log files are located at C:\ProgramData\Microsoft Dynamics\GPSessions\Logs.