How to: Implement Security Certificates in a Production Environment

You use certificates to help secure connections over a wide area network (WAN), such as connections from the Web server, Windows client, and web services to the Microsoft Dynamics NAV Server. Implementing security certificates on your deployment environment requires modifications to various components.

This topic describes how to implement security certificates on the Microsoft Dynamics NAV Server, Microsoft Dynamics NAV Web Server components, and clients after you have obtained a service certificate and a root certification authority (CA) from a trusted provider.

For general information about obtaining and requirements for certificates from a trusted provider, see About Certificates for Production Environment.

Note

An instance of Microsoft Dynamics NAV Server that has been configured for secure WAN communication always prompts Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web client users for authentication when they start the client, even when the client computer is in the same domain as Microsoft Dynamics NAV Server.

Running the Certificates Snap-in for Microsoft Management Console

Some of the following procedures use the Certificates snap-in for Microsoft Management Console (MMC). If you do not already have this snap-in installed, you can add it to the MMC.

To add Certificates snap-in for Microsoft Management Console (MMC)

Installing and Configuring the Certificates

You install the security certificates on the computer running Microsoft Dynamics NAV Server, computers running the Microsoft Dynamics NAV Windows client, and the Microsoft Dynamics NAV Web Server components according to the following guidelines. The root CA certificate and the service certificate are used in the configuration, but client certificates are not.

  1. Follow the installation instructions that are available from your certificate provider to install the root CA and service certificates on the following computers:

    • Install the root CA on the computer that is running Microsoft Dynamics NAV Server and all computers that are running the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components.

    • Install the service certificate on the computer that is running Microsoft Dynamics NAV Server only.

  2. Make sure that the Server Authentication and Client Authentication certificate purposes are enabled for the service certificate.

    A certificate can be enabled for several different purposes. The Server Authentication and Client Authentication purposes must be enabled. You can enable or disable other purposes to suit your requirements.

    You enable certificate purposes by using the Certificates Snap-in for MMC. For more information, see Modify the Properties of a Certificate.

Configuring Microsoft Dynamics NAV Server

After you have installed the root CA and the service certificate on the computer running Microsoft Dynamics NAV Server, you must grant access to the service account that is associated with the server so that the service account can access the service certificate’s private key. You must also change the configuration settings for Microsoft Dynamics NAV Server to enable remote logins.

To configure the computer running Microsoft Dynamics NAV Server

  1. In the left pane of MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.

  2. In the right pane, right-click the certificate, select All Tasks, and then choose Manage Private Keys.

  3. In the Permissions dialog box for the certificate, choose Add.

  4. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the dedicated domain user account that is associated with Microsoft Dynamics NAV Server, and then choose the OK button.

  5. In the Full Control field, select Allow, and then choose the OK button.

  6. In the right pane, select the certificate.

  7. In the Certificate dialog box, choose the Details tab, and then select the Thumbprint field.

  8. Copy or note the value of the Thumbprint field.

    For example, copy the hexadecimal characters to text editor, such as Notepad. Delete all spaces from the thumbprint string. If the thumbprint is c0 d0 f2 70 95 b0 3d 43 17 e2 19 84 10 24 32 8c ef 24 87 79, then change it to c0d0f27095b03d4317e219841024328cef248779.

    Tip

    It is important that the thumbprint does not contain any invisible extra characters; otherwise you will experience problems when using it later. To avoid this, see Certificate thumbprint displayed in MMC certificate snap-in has extra invisible unicode character.

  9. Start the Microsoft Dynamics NAV Server Administration tool. For more information, see Microsoft Dynamics NAV Server Administration Tool.

  10. Stop the Microsoft Dynamics NAV Server instance. For more information, see Managing Microsoft Dynamics NAV Server Instances.

  11. Modify the following settings for the Microsoft Dynamics NAV Server instance. For more information, see Configuring Microsoft Dynamics NAV Server.

    Key New value Description
    Credential Type NavUserPassword, Username, or AccessControlService This parameter is on the General tab in the Microsoft Dynamics NAV Server Administration tool. The default value is Windows. When you change it to NavUserPassword, Username, or AccessControlService, client users who connect to the server are prompted for user name and password credentials. For more information on authentication mechanisms for Microsoft Dynamics NAV 2018, see Users and Credential Types. For information on how to provision users with initial username and password values, see How to: Create Microsoft Dynamics NAV Users.
    Certificate Thumbprint Value of the Thumbprint field in the previous procedure. This parameter is on the Client Services tab in the Microsoft Dynamics NAV Server Administration tool. The default value is <key>. Remove any leading or trailing spaces in the thumbprint.
  12. If you want to use secure web services, then under SOAP Services and OData Services, select the Enable SSL check box.

  13. Save and the new values for the server instance.

  14. Restart the Microsoft Dynamics NAV Server instance.

    If there is a problem, see Windows Event Viewer.

Configuring the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components

The chain trust configuration allows all users of the Microsoft Dynamics NAV Windows client on a computer to log on to one or more instances of Microsoft Dynamics NAV Server as long as their login credentials have been associated with user accounts in Dynamics NAV. The client validates that the server certificate is signed with the root CA.

After you have installed the root CA on the computer running the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components, you must modify the client configuration file.

To modify the Microsoft Dynamics NAV Windows client configuration file

  1. Open the ClientUserSettings.config configuration file.

    The location of this file is Users\<username>\AppData\RoamingLocal\Microsoft\Dynamics NAV\ <version>.

    By default, this file is hidden. Therefore, you may have to change your folder options in Windows Explorer to view hidden files.

    Note

    If you want to change default Microsoft Dynamics NAV Windows client settings for all future users, edit the default ClientUserSettings.config file —t hat is, the one in C:\Program Files\Microsoft Dynamics NAV\110. Be sure that you run your text editor with Administrator privileges when you do so.

  2. Modify the following settings.

    Key New value Description
    ClientServicesCredentialType NavUserPassword, Username, or AccessControlService The default value is Windows. When you change it to NavUserPassword, Username, or AccessControlService, client users are prompted for user name and password credentials. For more information on authentication mechanisms for Microsoft Dynamics NAV 2018, see Users and Credential Types. For information on how to provision users with initial username and password values, see How to: Create Microsoft Dynamics NAV Users.
    DnsIdentity The subject name of the service certificate. The default value is <identity>. Replace this with the subject name or common name (CN) of the certificate that is used on the computer that is running Microsoft Dynamics NAV Server.
  3. Save and close the ClientUserSettings.config file.

    When you starting the Microsoft Dynamics NAV Windows client, users are prompted for a valid user name and password.

To modify the Microsoft Dynamics NAV Web client configuration file

  1. On the computer that is installed the Microsoft Dynamics NAV Web Server components, open the configuration file in a text editor, such as Notepad.

  2. Change the following settings:

    Key New value Description
    ClientServicesCredentialType NavUserPassword, Username, or AccessControlService The default value is Windows. When you change it to NavUserPassword, Username, or AccessControlService, client users who connect to the server are prompted for user name and password credentials. For more information on authentication mechanisms for Microsoft Dynamics NAV 2018, see Users and Credential Types. For information on how to provision users with initial username and password values, see How to: Create Microsoft Dynamics NAV Users.
    DnsIdentity The subject name of the service certificate The default value is <identity>. Replace this with the subject name or common name (CN) of the certificate that is used on the computer that is running Microsoft Dynamics NAV Server.
  3. Save the configuration file.

    For more information about configuring the credential type for the Microsoft Dynamics NAV Web client, see How to: Configure Authentication of Microsoft Dynamics NAV Web Client Users.