Export (0) Print
Expand All

How to: Implement Security Certificates in a Production Environment

Microsoft Dynamics Nav 2009

After you have installed and configured Microsoft Dynamics NAV Server and obtained a service certificate and a root certification authority (CA) from a trusted provider, you must install the certificates on the computer running Microsoft Dynamics NAV Server. Complete instructions are available from your certificate provider.

The root CA certificate and the service certificate are used in the configuration, but client certificates are not. The root CA must be installed on the computer running Microsoft Dynamics NAV Server and all computers running the RoleTailored client. The service certificate must only be installed on the computer running Microsoft Dynamics NAV Server.

Most enterprises and hosting providers have their own infrastructure for issuing and managing certificates. You can also use these certificate infrastructures. The only requirement is that the service certificates must be set up for key exchange and therefore must contain both private and public keys.

Gg502467.note(en-us,NAV.60).gifNote
An instance of Microsoft Dynamics NAV Server that has been configured for secure WAN communication always prompts RoleTailored client users for authentication when they start the client, even when the client computer is in the same domain as Microsoft Dynamics NAV Server.

The following procedures use the Certificates snap-in for the Microsoft Management Console (MMC). If you do not already have this snap-in installed, then follow these steps:

  1. Click Start, click Run, and then type Mmc.exe.

  2. In the console, on the File menu, click Add/Remove Snap-in.

  3. In the Add Standalone Snap-in dialog box, select Certificates, and then click Add.

Configuring Microsoft Dynamics NAV Server

After you have installed the root CA and the service certificate on the computer running Microsoft Dynamics NAV Server, you must grant access to the service account that is associated with the server so that the service account can access the service certificate’s private key. You must also change the configuration settings for Microsoft Dynamics NAV Server to enable remote logins.

To configure the computer running Microsoft Dynamics NAV Server

  1. In the left pane of the MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.

  2. In the right pane, right-click the certificate, select All Tasks, and then click Manage Private Keys.

  3. In the Permissions dialog box for the certificate, click Add.

  4. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the dedicated domain user account that is associated with Microsoft Dynamics NAV Server, and then click OK.

  5. In the Full Control field, select Allow, and then click OK.

  6. In the right pane, double-click the certificate.

  7. In the Certificate dialog box, click the Details tab, and then select the Thumbprint field.

  8. Copy or note the value of the Thumbprint field.

  9. Stop the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services.

  10. Open the CustomSettings.config configuration file. By default, this file is located in C:\Program Files\Microsoft Dynamics NAV\60\Service.

  11. Modify the following settings.

    Key New value Description

    ClientCredentialType

    UserName

    The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials.

    CertificateThumbprint

    Value of the Thumbprint field in the previous procedure

    The default value is <key>. Remove any leading or trailing spaces in the thumbprint.

  12. Save and close the CustomSettings.config file.

  13. Restart the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services.

If you get an error, then see the Windows Event Viewer.

Configuring the RoleTailored Client

The chain trust configuration allows all users of the RoleTailored client on a computer to log on to one or more instances of Microsoft Dynamics NAV Server as long as their login credentials have been associated with user accounts in Microsoft Dynamics NAV. The client validates that the server certificate is signed with the root CA.

After you have installed the root CA on the computer running the RoleTailored client, you need to edit the RoleTailored client configuration file.

To edit the RoleTailored client configuration file

  1. Open the ClientUserSettings.config configuration file.

    In Windows 7, Windows Vista, or Windows Server 2008, the location of this file is Users\<username>\AppData\Local\Microsoft\Microsoft Dynamics NAV. In Windows Server 2003 or Windows XP, the location is Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Microsoft Dynamics NAV.

    This file is hidden by default, so you may need to change your folder options in Windows Explorer to view hidden files.

  2. Modify the following settings.

    Key New value Description

    ClientCredentialType

    UserName

    The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials.

    DnsIdentity

    The subject name of the service certificate

    The default value is <identity>.

  3. Save and close the ClientUserSettings.config file.

When you start the RoleTailored client, you are prompted for a valid user name in the format domain\username and password for the server domain.

Community Additions

ADD
Show:
© 2014 Microsoft