Authentication and credential types for Dynamics 365 Business Central

Note

Azure Active Directory is now Microsoft Entra ID. Learn more

In Business Central online, users are added through the Microsoft 365 admin center. Once users are created in Microsoft 365, they can be imported into the Users window in Business Central. Learn more in Managing Users and Permissions in the business functionality content.

Configuring authentication for on-premises deployments

An on-premises deployment of Business Central supports several credential authorization mechanisms for users. When you create a user, you provide different information depending on the credential type that you're using in the current Business Central Server instance.

Important

All users of a Business Central Server instance must be using the same credential type. In on-premises deployments, you can specify which credential type is used for a particular Business Central Server instance in the Business Central Server Administration tool.

Credential Types

Business Central on-premises supports the following credential types.

Credential types Description
Windows With this credential type, users are authenticated using their Windows credentials. You can only specify Windows as the credential type if the corresponding user exists in Windows (Active Directory, local workgroup, or the local computer’s users). Because they're authenticated through Windows, Windows users aren't prompted for credentials when they access Business Central.
UserName With this setting, the user is prompted for username/password credentials when they access Business Central. These credentials are then validated against Windows authentication by Business Central Server. There must already be a corresponding user in Windows. Security certificates are required to protect the passing of credentials across a wide-area network. Typically, you use this setting when the Business Central Server computer is part of an authenticating Active Directory domain, but the computer where the Dynamics NAV Client connected to Business Central is installed isn't part of the domain.

Important: For OData, UserName credential type is only supported in Business Central version 20 and earlier. In later versions, change to NavUserPassword instead. This implies deprecation of native Digest Authentication from version 21 onwards.
NavUserPassword With this setting, authentication is managed by Business Central Server but isn't based on Windows users or Active Directory. Each user is set up with a user name and password that's configured inside Business Central only. The user is prompted for username/password credentials when they start the client. Security certificates are required to protect the passing of credentials. Learn more Authenticating users with NavUserPassword.

Caution: Microsoft recommends that you don’t use NavUserPassword authentication. Microsoft Entra ID and Windows authentication are more secure alternatives. You should only use NavUserPassword authentication when Microsoft Entra ID and Windows authentication aren't viable.
AccessControlService With this setting, Business Central relies on Microsoft Entra ID for user authentication services.

Microsoft Entra ID is a cloud service that provides identity and access capabilities, such as for applications on Azure, in Microsoft 365, and for applications that install on-premises. If the Business Central Server instance is configured to use AccessControlService authentication, you can specify a Microsoft Entra account for each user in the Office 365 Authentication field so that they can access both the Business Central and their Microsoft 365 site. Also, if you use Business Central in an app for SharePoint, users have single sign-on between the SharePoint site and Business Central. Learn more in Authenticating users with Microsoft Entra ID or Authenticating users with Active Directory Federation Services.

Security certificates are required to protect the passing of credentials across a wide-area network.
None For internal use on system sessions. Typically not used. If you choose None, then the Business Central Server instance can't start.
ExchangeIdentity, TaskScheduler, and Impersonate For internal use only. Don't use.

Important

If Business Central Server is configured to use NavUserPassword or AccessControlService authentication, then the username, password, and access key can be exposed if the SOAP or OData data traffic is intercepted and the connection string is decoded. To avoid this condition, configure SOAP and OData web services to use Secure Socket Layer (SSL). Learn more in How to: Implement security certificates in a production environment in the ITPro content for Microsoft Dynamics NAV 2018.

Configuring the credential type for client and server

For on-premises deployment, you must make sure that clients and Business Central Server are configured to use the same credential type.

When you change the credential type for a Business Central Server instance and the relevant client configurations, the changes take effect when you restart the Business Central Server instance and users connect to the instance again.

Server configuration

To edit the configuration for the Business Central Server instance, you can use either the Business Central Server Administration tool or the Business Central Administration Shell. In the Business Central Server Administration tool, you configure the credential type in the Credential Type field on the General tab. Also, you can edit the CustomSettings.config file. Learn more in Configuring Business Central Server.

Client configuration

In the relevant configuration file, find the ClientServicesCredentialType parameter and change the value to one of the options listed earlier.

For the Business Central Web client users, you must modify the navsettings.json for the Business Central Web Server. The navsettings.json file is a JavaScript Object Notation file type that is similar to files that use the XML file format. The file is stored in the physical path of the web server instance, which is by default is c:\inetpub\wwwroot\BC210. Learn more in Settings in the navsettings.json.

For each Dynamics NAV Client connected to Business Central user, you must modify the ClientUserSettings.config file. The default location for this file is C:\Users\<username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\130, where <username> is the name of the user. Learn more in Configuring the Microsoft Dynamics NAV Windows Client in the ITPro content for Microsoft Dynamics NAV 2018.

Security certificates

UserName, NavUserPassword, and AccessControlService credential types require that you install and configure security certificates on components. Learn more in Using Security Certificates with Business Central on-premises

Next steps

See also

Understanding Users, Profiles, and Role Centers
Configuring Business Central Server