How to: Configure User Authentication for the Microsoft Dynamics NAV Web Client

You can configure the Microsoft Dynamics NAV Web client to authenticate users on one of the following credential types.

Credential type Description Prompted to sign in

Windows

Users are authenticated using a Windows account (Active Directory). Users are automatically authenticated using the Windows account that is currently logged on to the device that they are using to access the Microsoft Dynamics NAV Web client.

No

UserName

Users are authenticated using their Windows account.

Yes

NavUserPassword

Users are authenticated using their Microsoft Dynamics NAV user name and password, instead of their Windows credentials.

Yes

AccessControlService

Users are authenticated using either Microsoft Azure Access Control Service (ACS) or Microsoft Azure Active Directory (AAD).

Yes

For more information about the credential types and their use, see Users and Credential Types.

To set up user authentication, complete the following tasks:

  • Implementing Security Certificates

    Implement security certificates on the computer that is running Microsoft Dynamics NAV Server and the computer that is running Microsoft Dynamics NAV Web Server components.

    Note

    This step is not required when you use the Windows credential type.

  • Configuring the Credential Type for Microsoft Dynamics NAV Server

  • Configuring the Credential Type on the Microsoft Dynamics NAV Web Client

Implementing Security Certificates

When using the UserName, NavUserPassword, or AccessControlService credential type, you must implement security certificates on the computer that is running Microsoft Dynamics NAV Server and the web server computer that is running Microsoft Dynamics NAV Web Server components. Security certificates protect the passing of credentials between the Microsoft Dynamics NAV Web client and Microsoft Dynamics NAV Server. A certificate is a file that the web server uses to prove its identity and establish a trusted connection with Microsoft Dynamics NAV Server.

Note

You do not have to perform this task for Windows authentication.

To implement security certificates

  • To create your own certificates and implement them in a test environment for the Microsoft Dynamics NAV Web client, see Walkthrough: Implementing Security Certificates in a Test Environment.

    In this scenario, you create your own self-signed certificates, and then install them on the computers that are running Microsoft Dynamics NAV Server and the Microsoft Dynamics NAV Web Server components.

  • To implement certificates in a production environment for Microsoft Dynamics NAV Web client, see How to: Implement Security Certificates in a Production Environment.

    In this scenario, you obtain certificates from a certification authority. Some large organizations may have their own certification authorities, and other organizations can request a certificate from a third-party organization. After you obtain the certificates, you install them on the computers that are running Microsoft Dynamics NAV Server and the Microsoft Dynamics NAV Web Server components.

Configuring the Credential Type for Microsoft Dynamics NAV Server

The credential type of the Microsoft Dynamics NAV Web client must match the credential type in the Microsoft Dynamics NAV Server instance that is used by the Microsoft Dynamics NAV Web client.

To configure the credential type for the Microsoft Dynamics NAV Server instance

  1. Start either the Microsoft Dynamics NAV Server Administration tool or the Microsoft Dynamics NAV 2015 Administration Shell.

    For more information, see Microsoft Dynamics NAV Server Administration Tool or Microsoft Dynamics NAV Windows PowerShell Cmdlets.

  2. Find the ClientServicesCredentialType parameter in the configuration for the Microsoft Dynamics NAV Server instance.

    In the Microsoft Dynamics NAV Server Administration tool, the parameter is named Credential Type and is on the General tab.

    For more information, see Configuring Microsoft Dynamics NAV Server.

  3. Change the value to either Windows, UserName, NavUserPassword, or AccessControlService.

    Important

    On the Client Services tab, you must set the Certificate Thumbprint parameter to the thumbprint of the security certificate that is used by Microsoft Dynamics NAV Server.

  4. Restart the Microsoft Dynamics NAV Server instance.

Configuring the Credential Type on the Microsoft Dynamics NAV Web Client

To configure the credential type for the Microsoft Dynamics NAV Web client, perform the following procedures, as described in this section:

  1. Configure the credential type in the web.config files for the web server instance of the Microsoft Dynamics NAV Web client.

  2. Enable the authentication methods on the Internet Information Services (IIS) website for Microsoft Dynamics NAV Web client.

To configure the credential type in the web.config files of the Microsoft Dynamics NAV Web client

  1. On the computer that is running the Microsoft Dynamics NAV Web Server components, open the web.config file that is located in the physical path of the virtual directory for the Microsoft Dynamics NAV Web client application. This web.config file contains the Microsoft Dynamics NAV settings.

  2. The folder path is %systemroot%\inetpub\wwwroot\[VirtualDirectoryName]. For example, the folder for the default Microsoft Dynamics NAV Web client application is %systemroot%\inetpub\wwwroot\DynamicsNAV80 folder.

  3. In the <DynamicsNavSettings> element, which is located toward the end of the file, find the <add key="ClientServicesCredentialType" value=""/> element, and then change it to one of the following.

    <add key="ClientServicesCredentialType" value="Windows"/>
    
    <add key="ClientServicesCredentialType" value="UserName"/>
    
    <add key="ClientServicesCredentialType" value="NavUserPassword"/>
    
    <add key="ClientServicesCredentialType" value="AccessControlService/>
    
  4. If you are configuring the Windows credential type, then you are finished. Save the web.config file. For other credential types, continue to the next step.

  5. Find the <add key="DnsIdentity" value=""/> element, and change it as follows.

    <add key="DnsIdentity" value="SubjectName"/>
    

    Replace subjectName with the subject name or common name (CN) of the certificate that is used on the computer that is running Microsoft Dynamics NAV Server.

    Note

    You can find the subject name by opening the certificate in the Certificates snap-in for Microsoft Management Console (MMC) on the computer that is running Microsoft Dynamics NAV Web client and Microsoft Dynamics NAV Server. For more information, see Walkthrough: Implementing Security Certificates in a Test Environment or How to: Implement Security Certificates in a Production Environment.

  6. If you are configuring AccessControlService authentication, then find the <add key="ACSUri" value=""/> element, and set the value to the URI of the ACS or AAD authentication page.

    <add key="ACSUri" value=""/>
    

    For more information, see Authenticating Users with ACS and Authenticating Users with Windows Azure Active Directory.

  7. Save the web.config file.

To enable an authentication method on the website for the Microsoft Dynamics NAV Web client

  1. On the computer that is running Microsoft Dynamics NAV Web Server components, open Internet Information Services (IIS) Manager.

    On the Start menu, in the Search programs and files box, type inetmgr, and then press Enter.

  2. In the Connections pane, under Sites, choose Microsoft Dynamics NAV 2015 Web Client.

  3. Under IIS, double-click Authentication.

  4. In the Authentication pane, enable the appropriate authentication based on the credential type.

    • For the Windows credential type, enable Windows authentication.

    • For the UserName and NavUserPassword credential types, enable both Forms authentication and Anonymous authentication.

    To enable an authentication method, choose the authentication method from the list, and then choose Enable in the Actions pane.

  5. For Windows authentication, you must set up an authentication provider. By default, Windows authentication is configured to use the Negotiate and NTML providers, which is sufficient for most installations and no action is required. If the computer that is running Microsoft Dynamics NAV Web Server components and Microsoft Dynamics NAV Server are on different computers, and delegation with Kerberos is configured between the two computers, then the Negotiate provider must be first in the list of providers.

    To set up the providers, do the following:

    1. Choose Window Authentication, and then under Actions, choose Providers.

    2. To add a provider, select the provider from the Available Providers list, and then choose Add.

    3. To move a provider in the Enables Providers list, select the provider, and then choose the Move Up or Move Up button.

    4. Choose the OK button.

  6. Restart the web server.

    In the Connections pane of IIS Manager, choose the root node for your computer, and then in the Actions pane, choose Restart.

See Also

Tasks

How to: Install the Web Server Components
How to: Specify When UI Elements Are Removed

Concepts

Deploying the Microsoft Dynamics NAV Web Server Components
Configuring Microsoft Dynamics NAV Web Client by Modifying the Web.config File