Authentication and Credential Types for Dynamics 365 Business Central

In Business Central online, users are added through the Office 365 Admin Center. Once users are created in Office 365, they can be imported into the Users window in Business Central. For more information, see Managing Users and Permissions in the business functionality content.

Configuring Authentication for On-Premises Deployments

An on-premises deployment of Business Central supports several credential authorization mechanisms for users. When you create a user, you provide different information depending on the credential type that you are using in the current Business Central Server instance.

Important

All users of a Business Central Server instance must be using the same credential type. In on-premises deployments, you can specify which credential type is used for a particular Business Central Server instance in the Business Central Server Administration tool.

Credential Types

Business Central on-premises supports the following credential types.

Credential types Description
Windows With this credential type, users are authenticated using their Windows credentials. You can only specify Windows as the credential type if the corresponding user exists in Windows (Active Directory, local workgroup, or the local computer’s users). Because they are authenticated through Windows, Windows users are not prompted for credentials when they access Business Central.
UserName With this setting, the user is prompted for username/password credentials when they access Business Central. These credentials are then validated against Windows authentication by Business Central Server. There must already be a corresponding user in Windows. Security certificates are required to protect the passing of credentials across a wide-area network. Typically, this setting should be used when the Business Central Server computer is part of an authenticating Active Directory domain, but the computer where the Dynamics NAV Client connected to Business Central is installed is not part of the domain.
NavUserPassword With this setting, authentication is managed by Business Central Server but is not based on Windows users or Active Directory. The user is prompted for username/password credentials when they start the client. The credentials are then validated by an external mechanism. Security certificates are required to protect the passing of credentials. This mode is intended for hosted environments, for example, where Business Central is implemented in Azure.
AccessControlService With this setting, Business Central relies on Azure Active Directory (Azure AD\ for user authentication services.

Azure AD is a cloud service that provides identity and access capabilities, such as for applications on Azure, in Microsoft Office 365, and for applications that install on-premises. If the Business Central Server instance is configured to use AccessControlService authentication, you can specify an Azure AD account for each user in the Office 365 Authentication field so that they can access both the Business Central and their Office 365 site. Also, if you use Business Central in an app for SharePoint, users have single sign-on between the SharePoint site and Business Central. For more information, see Authenticating Users with Azure Active Directory or Authenticating Users with Active Directory Federation Services.

Security certificates are required to protect the passing of credentials across a wide-area network.
None For internal use on system sessions and typically should not be used. If you choose None, then the Business Central Server instance cannot start.
ExchangeIdentity and TaskScheduler For internal use only. Do not use.

Important

If Business Central Server is configured to use NavUserPassword or AccessControlService authentication, then the username, password, and access key can be exposed if the SOAP or OData data traffic is intercepted and the connection string is decoded. To avoid this condition, configure SOAP and OData web services to use Secure Socket Layer (SSL). For more information, see Walkthrough: Configuring Web Services to Use SSL (SOAP and OData) in the ITPro content for Microsoft Dynamics NAV 2018.

Configuring the Credential Type for Client and Server

For on-premises deployment, you must make sure that clients and Business Central Server are configured to use the same credential type.

When you change the credential type for a Business Central Server instance and the relevant client configurations, the changes take effect when you restart the Business Central Server instance and users connect to the instance again.

Server Configuration

To edit the configuration for the Business Central Server instance, you can use either the Business Central Server Administration tool or the Business Central Administration Shell. In the Business Central Server Administration tool, you configure the credential type in the Credential Type field on the General tab. Alternatively, you can edit the CustomSettings.config file. For more information, see Configuring Business Central Server.

Important

When Business Central Server services are deployed on Azure but not as part of Business Central online, you must configure them on Azure. For more information, see How to: Open Microsoft Dynamics NAV Clients that Connect to Microsoft Dynamics NAV on Microsoft Azure in the ITPro content for Microsoft Dynamics NAV 2018.

Client Configuration

In the relevant configuration file, find the ClientServicesCredentialType parameter and change the value to one of the options listed earlier.

For the Business Central Web client users, you must modify the navsettings.json for the Business Central Web Server. The navsettings.json file is a Java Script Object Notification file type that is similar to files that use the XML file format. The file is stored in the physical path of the web server instance, which is by default is c:\inetpub\wwwroot\BC140. For more information, see Settings in the navsettings.json.

For each Dynamics NAV Client connected to Business Central user, you must modify the ClientUserSettings.config file. The default location for this file is C:\Users\<username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\130, where <username> is the name of the user. For more information, see Configuring the Microsoft Dynamics NAV Windows Client in the ITPro content for Microsoft Dynamics NAV 2018.

Security Certificates

With UserName, NavUserPassword, and AccessControlService credential types require that you install and configure security certificates on components. For more information, see Using Security Certificates with Business Central On-Premises

See Also

Understanding Users, Profiles, and Role Centers
Configuring Business Central Server

[]