How to: Implement Security Certificates in a Production Environment

After you have installed and configured Microsoft Dynamics NAV Server and obtained a service certificate and a root certification authority (CA) from a trusted provider, you must install the certificates on the computer running Microsoft Dynamics NAV Server. Complete instructions are available from your certificate provider.

The root CA certificate and the service certificate are used in the configuration, but client certificates are not. The root CA must be installed on the computer running Microsoft Dynamics NAV Server and all computers running the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components. The service certificate must only be installed on the computer running Microsoft Dynamics NAV Server.

Most enterprises and hosting providers have their own infrastructure for issuing and managing certificates. You can also use these certificate infrastructures. The only requirement is that the service certificates must be set up for key exchange and therefore must contain both private and public keys.

Note

An instance of Microsoft Dynamics NAV Server that has been configured for secure WAN communication always prompts Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web client users for authentication when they start the client, even when the client computer is in the same domain as Microsoft Dynamics NAV Server.

The following procedures use the Certificates snap-in for Microsoft Management Console (MMC). If you do not already have this snap-in installed, then follow these steps:

  1. From the Windows Start menu, choose Run, and then type Mmc.exe.

  2. In the console, on the File menu, choose Add/Remove Snap-in.

  3. In the Add Standalone Snap-in dialog box, select Certificates, and then choose Add.

Configuring Microsoft Dynamics NAV Server

After you have installed the root CA and the service certificate on the computer running Microsoft Dynamics NAV Server, you must grant access to the service account that is associated with the server so that the service account can access the service certificate’s private key. You must also change the configuration settings for Microsoft Dynamics NAV Server to enable remote logins.

To configure the computer running Microsoft Dynamics NAV Server

  1. In the left pane of MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.

  2. In the right pane, right-click the certificate, select All Tasks, and then choose Manage Private Keys.

  3. In the Permissions dialog box for the certificate, choose Add.

  4. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the dedicated domain user account that is associated with Microsoft Dynamics NAV Server, and then choose the OK button.

  5. In the Full Control field, select Allow, and then choose the OK button.

  6. In the right pane, select the certificate.

  7. In the Certificate dialog box, choose the Details tab, and then select the Thumbprint field.

  8. Copy or note the value of the Thumbprint field.

  9. Start the Microsoft Dynamics NAV Server Administration tool. For more information, see Microsoft Dynamics NAV Server Administration Tool.

  10. Stop the Microsoft Dynamics NAV Server instance. For more information, see Managing Microsoft Dynamics NAV Server Instances.

  11. Modify the following settings for the Microsoft Dynamics NAV Server instance. For more information, see Configuring Microsoft Dynamics NAV Server.

    Key New value Description

    Credential Type

    NavUserPassword or Username

    This parameter is on the General tab in the Microsoft Dynamics NAV Server Administration tool. The default value is Windows. When you change it to NavUserPassword or Username, client users who connect to the server are prompted for user name and password credentials. For more information on authentication mechanisms for Microsoft Dynamics NAV 2013 R2, see Users and Credential Types. For information on how to provision users with initial username and password values, see How to: Create Microsoft Dynamics NAV Users.

    Certificate Thumbprint

    Value of the Thumbprint field in the previous procedure.

    This parameter is on the Client Services tab in the Microsoft Dynamics NAV Server Administration tool. The default value is <key>. Remove any leading or trailing spaces in the thumbprint.

  12. Save and the new values for the server instance.

  13. Restart the Microsoft Dynamics NAV Server instance.

    If there is a problem, see Windows Event Viewer.

Configuring the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components

The chain trust configuration allows all users of the Microsoft Dynamics NAV Windows client on a computer to log on to one or more instances of Microsoft Dynamics NAV Server as long as their login credentials have been associated with user accounts in Microsoft Dynamics NAV. The client validates that the server certificate is signed with the root CA.

After you have installed the root CA on the computer running the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components, you must modify the client configuration file.

To modify the Microsoft Dynamics NAV Windows client configuration file

  1. Open the ClientUserSettings.config configuration file.

    In Windows 7 or Windows Server 2008, the location of this file is Users\<username>\AppData\Local\Microsoft\Microsoft Dynamics NAV.

    By default, this file is hidden. Therefore, you may have to change your folder options in Windows Explorer to view hidden files.

    Note

    If you want to change default Microsoft Dynamics NAV Windows client settings for all future users, edit the default ClientUserSettings.config file—that is, the one in C:\Program Files\Microsoft Dynamics NAV\71. Be sure that you run your text editor with Administrator privileges when you do so.

  2. Modify the following settings.

    Key New value Description

    ClientServicesCredentialType

    NavUserPassword or Username

    The default value is Windows. When you change it to NavUserPassword or Username, client users are prompted for user name and password credentials. For more information on authentication mechanisms for Microsoft Dynamics NAV 2013 R2, see Users and Credential Types. For information on how to provision users with initial username and password values, see How to: Create Microsoft Dynamics NAV Users.

    DnsIdentity

    The subject name of the service certificate.

    The default value is <identity>. Replace this with the subject name or common name (CN) of the certificate that is used on the computer that is running Microsoft Dynamics NAV Server.

  3. Save and close the ClientUserSettings.config file.

When you starting the Microsoft Dynamics NAV Windows client, users are prompted for a valid user name and password.

To modify the Microsoft Dynamics NAV Web client configuration file

  1. On the computer that is installed the Microsoft Dynamics NAV Web Server components, open the installation folder for the Microsoft Dynamics NAV Web client. By default, the folder is C:\Program Files\Microsoft Dynamics NAV\71\Web Client.

  2. Open the web.config file in a text editor, such as Notepad.

  3. Find the <DynamicsNavSettings> element, and then change the following settings:

    Key New value Description

    ClientServicesCredentialType

    NavUserPassword

    The default value is Windows. When you change it to NavUserPassword or Username, client users who connect to the server are prompted for user name and password credentials. For more information on authentication mechanisms for Microsoft Dynamics NAV 2013 R2, see Users and Credential Types. For information on how to provision users with initial username and password values, see How to: Create Microsoft Dynamics NAV Users.

    DnsIdentity

    The subject name of the service certificate

    The default value is <identity>. Replace this with the subject name or common name (CN) of the certificate that is used on the computer that is running Microsoft Dynamics NAV Server.

  4. Save the web.config file.

    For more information about configuring the credential type for the Microsoft Dynamics NAV Web client, see How to: Configure User Authentication for the Microsoft Dynamics NAV Web Client.