Walkthrough: Implementing Security Certificates in a Test Environment

In this walkthrough, you set up an environment to test integration of certificates into a configuration for connecting computers running the RoleTailored client to Microsoft Dynamics NAV Server instances over a wide area network (WAN) with the chain trust configuration.

To complete this walkthrough, you will need:

  • The Certificates snap-in for Microsoft Management Console (MMC). If you do not already have this snap-in installed, then follow these steps:

    1. Click Start, click Run, and then type Mmc.exe.

    2. In the console, on the File menu, click Add/Remove Snap-in.

    3. In the Add Standalone Snap-in dialog box, select Certificates, click Computer Account, click Local Computer, and then click Add.

  • The makecert.exe utility. For more information, see Certificate Creation Tool (Makecert.exe) in the MSDN Library.

You create and install a root certification authority (CA) and a server certificate on the computer running Microsoft Dynamics NAV Server.

To create a root CA and a private key file with the makecert.exe utility

  1. Create a temporary folder to use when you work with certificates.

  2. Click Start, point to All Programs, and then click Accessories. Right-click Command Prompt, and then click Run as administrator.

  3. At the command prompt, locate the temporary directory.

  4. Type the following command.

    makecert -n "CN=RootNavServiceCA" -r -sv RootNavServiceCA.pvk RootNavServiceCA.cer
    
  5. When you are prompted, enter a password.

    You need this password to create the service certificate.

  6. The RootNavServiceCA.cer certificate file and the RootNavServiceCA.pvk private key are saved in your temporary folder.

To use the Certificates snap-in to install the root CA on the computer running Microsoft Dynamics NAV Server

  1. Start the Certificates snap-in for the MMC on the computer running Microsoft Dynamics NAV Server, and then add the Certificates snap-in.

  2. In the Certificates snap-in dialog box, click Computer account, and then click Next.

  3. In the Select Computer pane, click Local computer: (the computer this console is running on), and then click Finish.

  4. Click OK to close the Add or Remove Snap-ins dialog box.

  5. In the left pane of the MMC, expand the Certificates (Local Computer) node.

  6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import.

  7. In the Certificate Import Wizard, on the Welcome page, click Next.

  8. On the File to Import page, click Browse.

  9. Browse to the location of the RootNavServiceCA.cer certificate file, select the file, and then click Open.

  10. On the File to Import page, click Next.

  11. On the Certificate Store page, accept the default selection, and then click Next.

  12. On the Completing the Certificate Import Wizard page, click Finish.

The RootNavServiceCA certificate is now visible in the list of trusted root CAs.

You now create a certificate revocation list for the root certification authority and then install the certificate revocation list on the computer running Microsoft Dynamics NAV Server. A certificate revocation list is required because WCF applications check the revocation list when validating certificates.

To create a certificate revocation list for the root certification authority

  1. At the command prompt, type the following command:

    makecert -crl -n "CN=RootNavServiceCA" -r -sv RootNavServiceCA.pvk RootNavServiceCA.crl
    
  2. When you are prompted, enter the password that you used to create the root CA.

To install the certificate revocation list on the computer running Microsoft Dynamics NAV Server

  1. In the Certificates snap-in, in the left pane of the MMC, expand the Certificates (Local Computer) node.

  2. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import.

  3. In the Certificate Import Wizard, on the Welcome page, click Next.

  4. On the File to Import page, click Browse.

  5. In the File Type field, select Certificate Revocation List (*.crl).

  6. Browse to the location of the RootNavServiceCA.crl file, select the file, and then click Open.

  7. On the File to Import page, click Next.

  8. On the Certificate Store page, accept the default selection, and then click Next.

  9. On the Completing the Certificate Import Wizard page, click Finish.

  10. Select the Trusted Root Certificate Authorities node, and then refresh the MMC snap-in.

    A Certificate Revocation List folder that contains the RootNavServiceCA.crl file has been created.

To create and install a test certificate for the Microsoft Dynamics NAV Server service

  1. At the command prompt, type the following command:

    makecert -sk NavServiceCert -iv RootNavServiceCA.pvk -n "CN=NavServiceCert" -ic RootNavServiceCA.cer -sr localmachine -ss my -sky exchange -pe NavServiceCert.cer
    
    Gg502478.note(en-us,NAV.60).gifNote
    This command specifies the subject’s certificate name as NavServiceCert. You need this certificate name when you configure the RoleTailored client.

  2. When you are prompted, enter the password that you used to create the root CA.

  3. Select the Trusted Root Certificate Authorities node, and then refresh the MMC snap-in.

You now have the NavServiceCert.cer certificate file in your temporary folder. The certificate is installed under the Personal node in the Certificates Snap-in.

To grant access to the certificate’s private key to the service account for Microsoft Dynamics NAV Server

  1. In the left pane of the MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.

  2. In the right pane, right-click the NavServiceCert certificate, click All Tasks, and then click Manage Private Keys.

  3. In the Permissions for NavServiceCert private keys dialog box, click Add.

  4. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter NETWORK SERVICE, which is the name of the service account, and then click OK.

    Gg502478.security(en-us,NAV.60).gifSecurity Note
    In a production environment, you run Microsoft Dynamics NAV Server under a dedicated domain user account instead of the less secure NETWORK SERVICE account. Because this is a test implementation, the NETWORK SERVICE account is acceptable.

  5. Select Allow Full Control, and then click OK.

  6. In the right pane, double-click the NavServiceCert certificate.

  7. In the Certificate dialog box, click the Details tab, and then select the Thumbprint field.

  8. Copy or note the value of the Thumbprint field.

To modify the Microsoft Dynamics NAV Server configuration file to support login over a WAN

  1. Stop the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services.

    For more information, see How to: Configure Windows Services in the MSDN Library.

  2. Open the CustomSettings.config file, which is the Microsoft Dynamics NAV Server configuration file. By default, this file is located in C:\Program Files\Microsoft Dynamics NAV\60\Service.

  3. Modify the following key settings in the CustomSettings.config file.

    Key New value Description

    ClientCredentialType

    UserName

    The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials.

    Gg502478.note(en-us,NAV.60).gifNote
    Consider using a dedicated Microsoft Dynamics NAV Server instance for remote connections so that this change does not affect local users.

    CertificateThumbprint

    Value of the Thumbprint field in the previous procedure

    The default value is <key>. Remove any leading or trailing spaces in the thumbprint.

  4. Save and close the CustomSettings.config file.

  5. Restart the Microsoft Dynamics NAV Business Web Services and Microsoft Dynamics NAV Server services.

If you get an error, then see the Windows Event Viewer.

With the chain trust configuration, only the root CA and the certificate revocation list must be installed for the RoleTailored client. To do this, complete these procedures on the computer running the RoleTailored client.

To install the root CA on the computer running the RoleTailored client

  1. Start the Certificates snap-in for the MMC on the computer running the RoleTailored client, and then add the Certificates snap-in.

    Gg502478.note(en-us,NAV.60).gifNote
    This procedure is identical to the one that you followed for installing the root CA on the computer running Microsoft Dynamics NAV Server.

  2. In the Certificates snap-in dialog box, click Computer account, and then click Next.

  3. In the Select Computer pane, click Local computer: (the computer this console is running on), and then click Finish.

  4. Click OK to close the Add or Remove Snap-ins dialog box.

  5. In the left pane of the MMC, expand the Certificates (Local Computer) node.

  6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import.

  7. In the Certificate Import Wizard, on the Welcome page, click Next.

  8. On the File to Import page, click Browse.

  9. Browse to the location of the RootNavServiceCA.cer certificate file, select the file, and then click Open.

  10. On the File to Import page, click Next.

  11. On the Certificate Store page, accept the default selection, and then click Next.

  12. On the Completing the Certificate Import Wizard page, click Finish.

To install the certificate revocation list on the computer running the RoleTailored client

  1. Start the Certificates snap-in for the MMC on the computer running the RoleTailored client, and then add the Certificates snap-in.

  2. In the Certificates snap-in dialog box, click Computer account, and then click Next.

  3. In the Select Computer pane, click Local computer: (the computer this console is running on), and then click Finish.

  4. Click OK to close the Add or Remove Snap-ins dialog box.

  5. In the left pane of the MMC, expand the Certificates (Local Computer) node.

  6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then click Import.

  7. In the Certificate Import Wizard, on the Welcome page, click Next.

  8. On the File to Import page, click Browse.

  9. In the File Type field, select Certificate Revocation List (*.crl).

  10. Browse to the location of the RootNavServiceCA.crl file, select the file, and then click Open.

  11. On the File to Import page, click Next.

  12. On the Certificate Store page, accept the default selection, and then click Next.

  13. On the Completing the Certificate Import Wizard page, click Finish.

To edit the RoleTailored client configuration file to add certificate information

  1. Open the ClientUserSettings.config configuration file.

    In Windows 7, Windows Vista, or Windows Server 2008, the location of this file is Users\<username>\AppData\Local\Microsoft\Microsoft Dynamics NAV. In Windows Server 2003 or Windows XP, the location is Documents and Settings\<username>\Local Settings\Application Data\Microsoft\Microsoft Dynamics NAV.

    This file is hidden by default, so you may need to change your folder options in Windows Explorer to view hidden files.

  2. Modify the following settings.

    Key New value Description

    ClientCredentialType

    UserName

    The default value is Windows. When you change it to UserName, RoleTailored client users who connect to the server are prompted for user name and password credentials.

    DnsIdentity

    The subject name of the service certificate

    The default value is <identity>.

    For this walkthrough, set the key to NavServiceCert.

  3. Save and close the ClientUserSettings.config file.

When you start the RoleTailored client, you are prompted for a valid user name in the format domain\username and password for the server domain.

Community Additions

ADD
Show: