Provisioning the Microsoft Dynamics NAV Server Account
The Microsoft Dynamics NAV Server account is used by Dynamics NAV clients to log on to the Microsoft Dynamics NAV Server instance. The Microsoft Dynamics NAV Server then uses the service account to log on to the Dynamics NAV database. When you install Microsoft Dynamics NAV Server, you identify an Active Directory account to provide credentials for the server. By default, Setup runs Microsoft Dynamics NAV Server under the Network Service account, a predefined local account used by the service control manager. This account has minimum privileges on the local computer and acts as the computer on the network.
We recommend that you create a domain user account for running Microsoft Dynamics NAV Server. The Network Service account is considered less secure because it is a shared account that can be used by other unrelated network services. Any users who have rights to this account have rights to all services that are running on this account. If you create a domain user account to run Microsoft Dynamics NAV Server, you can use the same account to run SQL Server, whether or not SQL Server is on the same computer.
Note
Because Dynamics NAV Setup and the New-NavDatabase cmdlet configure the required permissions for the Microsoft Dynamics NAV Server account, you will typically use the procedures in this topic when you change the Microsoft Dynamics NAV Server account for an existing installation.
To provision a Microsoft Dynamics NAV Server account, complete the following procedures as described in this topic:
Prerequisite
Delete the Microsoft Dynamics NAV folder in the ProgramData folder of your system drive, for example, C:\ProgramData\Microsoft\Microsoft Dynamics NAV
.
The ProgramData is folder is typically hidden, so you might have to change the folder options for your system drive to show hidden files, folders, and drives.
Provisioning a Domain User Account
If you are running the Microsoft Dynamics NAV Server under a domain user account, you must:
Enable the account to log in as a service
Enable the account to register an SPN on itself
Add the account to the SMSvcHost.exe.config file
Give the account necessary database privileges in SQL Server
Enabling the account to log in as a service
Depending on various factors, the account may or may not already have this ability. For example, if you have already installed SQL Server and configured it to run under the same account, SQL Server will have modified the account to log in as a service.
Instructions for enabling an account to log in as a service are available on TechNet. See Add the Log on as a service Right to an Account. The instructions are for Windows Server 2008. For Windows 7, use this version of the procedure: Add the Log on as a service right to an account.
When this permission is lacking, Microsoft Dynamics NAV Server server instances may not be able to start.
Enabling the account to register an SPN on itself
To enable secure mutual authentication between clients and Microsoft Dynamics NAV Server, you must configure the Microsoft Dynamics NAV Server account to self-register Service Principal Names (SPNs). Mutual authentication is recommended in a production environment but may not be necessary in a testing or staging environment. The following procedure assumes a computer running Windows Server 2008 or Windows Server 2008 R2. On Windows 7 or Windows Vista you would need to install the Remote Server Administration Tools first.
To enable the Microsoft Dynamics NAV Server account to register an SPN on itself
Start the Active Directory Users and Computers snap-in in Microsoft Management Console (MMC):
Choose Run on the Start menu, type mmc on the command line, and the choose OK.
When the console opens, select Add/Remove Snap-In from the File menu, select Active Directory Users and Computers, and choose Add.
If you do not see Active Directory Users and Computers in the list of available snap-ins, you may need to use Server Manager to install the Active Directory Domain Services role on your server computer.
In MMC, select Active Directory Users and Computers in the tree view and choose Advanced Features from the View menu.
Expand the domain node in the tree view and choose Users.
Right-click the service account, select Properties, and then choose to display the Security tab.
Choose SELF in the Group or user names list.
Under Permissions for SELF, in the lower part of the panel, scroll down to Write public information and select the Allow column.
Choose OK to exit the Properties panel, and close Active Directory Users and Computers.
Add the account to the SMSvcHost.exe.config file
Dynamics NAV uses Net.TCP Port Sharing Service, which is managed by SMSvcHost.exe. The SMSvcHost.exe.config contains information about the identities (or accounts) that can use the service. These accounts are specified as security identifiers (SIDs) in the <allowAccounts> section of the SMSvcHost.exe.config file. By default, permission is implicitly granted to system accounts, such as NetworkService. For other accounts, you must explicitly add the SID for the account to the SMSvcHost.exe.config file as follows:
Get the SID of the user account.
The SID is an alphanumeric character string, such as S-1-5-20 or S-1-5-32-544. There are different ways to get the SID, such using Windows Management Instrumentation Control Command-line (WMIC) or the computer's registry.
To use WMIC, open a command prompt, and run the following command:
wmic useraccount get name,sid
This will display a list of user accounts and their SIDs.
To use the registry, run regedit, and then go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList folder. This folder list the SIDs for each user account. To find the SID that corresponds to the user account that you want, look at the ProfileImagePath key data.
Using a text editor, open the SMSvcHost.exe.config file.
You will find the SMSvcHost.exe.config file in the installation folder for the latest :NET Framework version on the Microsoft Dynamics NAV Server computer; for example,
C:\Windows\Microsoft.NET\Framework\v4.0.30319
.Add the SID to the <allowAccounts> element as follows, and then save the file:
<system.serviceModel.activation> <net.tcp listenBacklog="10" maxPendingConnections="100" maxPendingAccepts="2" receiveTimeout="00:00:10" teredoEnabled="false"> <allowAccounts> // Your NAV Server account <add securityIdentifier="N-N-N-N"/> </allowAccounts> </net.tcp>
For more information about SMSvcHost.exe and the SMSvcHost.exe.config file, see Configuring the Net.TCP Port Sharing Service.
Giving the account necessary database privileges in SQL Server
The Microsoft Dynamics NAV Server account needs two privileges on SQL Server instance used for Dynamics NAV:
in order to be able to create databases on the instance, it must have the dbcreator server-level role. This privilege is only needed during database creation.
in order to be able to serve client requests and read/write to the Dynamics NAV database, it must be member of the db_owner database role on the Dynamics NAV database.
When you install the Dynamics NAV database by using Dynamics NAV Setup or the New-NAVDatabase PowerShell cmdlet, you can specify the Microsoft Dynamics NAV Server account. In these cases, the server account that you specify should already have the necessary privileges in SQL Server. If you change the Microsoft Dynamics NAV Server account for an existing installation, then you should verify the account has the required privileges in SQL Server.
To verify server-level and database-level privileges on SQL Server after you create your Dynamics NAV database, use SQL Server Management Studio and, if necessary, modify privileges. If you have installed SQL Server with the guidelines in Installation Considerations for Microsoft SQL Server, then SQL Server Management Studio is already installed on your computer. Otherwise, update your SQL Server installation to include the Management Tools - Complete option for SQL Server (for SQL Server 2012/2014.) For SQL Server 2016, SQL Server Management Studio can be downloaded and installed as a standalone application.
To assign necessary SQL Server privileges for the Microsoft Dynamics NAV Server account
Start SQL Server Management Studio and connect to the instance where the Dynamics NAV database is installed.
Create a login for the Microsoft Dynamics NAV Server account.
Navigate the tree view: Security, Logins.
Right-click Logins and choose New Login.
Choose Search, and use the Select User or Group dialog box to identify the Microsoft Dynamics NAV Server account.
Choose OK to exit the New Login dialog box.
(optional) Grant the login Alter any event session and View server state permissions.
This step is only required if you want to log SQL Server deadlocks in the Windows Event log for the Microsoft Dynamics NAV Server intance. For more information, see Monitoring SQL Database Deadlocks.
- Navigate the tree view: Security, Logins.
- Right-click the login that you created, and then choose Properties.
- Under Select a page, choose Securables.
- On the Explicit tab, select the Alter any event session and View server state check boxes in the Grant column.
- Choose OK.
Grant the login the server-level role dbcreator
- Navigate the tree view: Security, Logins.
- Right-click the Microsoft Dynamics NAV Server account, and then choose Properties.
- Click on Server Roles.
- Check the dbcreator box.
- Choose OK.
Add the login as a user on the master database.
Navigate the tree view: Databases, System Databases, master, Security, Users.
Right-click Users and choose New User.
Choose the ellipse button at the far right of the second line in the Database User – New dialog box.
In the Select Login dialog box, enter or browse for the login you created for the Microsoft Dynamics NAV Server account.
Enter a name in the User name field (the first line in the Database User - New dialog box).
Choose OK to exit the Database User - New dialog box.
Grant the Microsoft Dynamics NAV Server login permissions on the master database. In the tree view, right-click master and choose Properties. Then do the following in the Database Properties – master dialog box.
Under Select a Page, choose Permissions.
Under Name, choose the login you created for the Microsoft Dynamics NAV Server account name.
Under Permissions for <username>, on the Explicit tab, scroll down to down to the Select line, and select the check box in the Grant column.
Choose OK to exit the Database Properties – master dialog box.
Navigate the tree view: Databases, System Databases, master, Tables, System Tables.
Right-click the dbo.$ndo$srvproperty table and choose Properties.
Under Select a Page, choose Permissions.
Choose Search, and use the Select User or Group dialog box to identify the login for the Microsoft Dynamics NAV Server account.
Under Permissions for <username>, on the Explicit tab, scroll down to down to the Select line, and select the check box in the Grant column.
Choose OK to exit the Table Properties – dbo.$ndo$srvproperty dialog box.
Grant the login the necessary database roles on the Dynamics NAV database.
Navigate the tree view: Databases, <your Microsoft Dynamics NAV database>, Security, Users.
Right-click Users and choose New User.
In the Database User – New dialog box, choose the ellipse button at the far right of the second line.
Select the login you created for the Microsoft Dynamics NAV Server account name and choose OK.
Under Database role membership, select the db_owner check box.
Choose OK to exit the Database User – New dialog box.
Right-click your Dynamics NAV database and choose Properties.
Under Select a Page, choose Permissions.
Choose Search, and use the Select User or Group dialog box to identify login you created for the Microsoft Dynamics NAV Server account.
Under Permissions for <username>, on the Explicit tab, scroll down to down to the View database state line, and select the check box in the Grant column.
Choose OK to exit the Database Properties dialog box for your Dynamics NAV database.
Alternatively, you can script these steps in SQL Server Management Studio, as shown in the following example:
USE [master]
GO
CREATE LOGIN [domain\accountname] FROM WINDOWS
CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]
GRANT SELECT ON [master].[dbo].[$ndo$srvproperty] TO [domain\accountname]
ALTER SERVER ROLE [dbcreator] ADD MEMBER [domain\accountname]
GRANT VIEW SERVER STATE TO [domain\accountname]
GRANT ALTER ANY EVENT SESSION TO [domain\accountname]
GO
USE [Microsoft Dynamics NAV Database]
GO
CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]
ALTER ROLE [db_owner] ADD MEMBER [domain\accountname]
GRANT VIEW DATABASE STATE TO [domain\accountname]
GRANT VIEW SERVER STATE TO [domain\accountname]
GRANT ALTER ANY EVENT SESSION TO [domain\accountname]
Provisioning the Network Service Account
The only circumstance where it is necessary to take any action with regard to the Network Service account is when change the Microsoft Dynamics NAV Server account on an existing installation from a domain account to the Network Service. In this situation you must verify that the account has the necessary database privileges in SQL Server, as per Giving the account necessary database privileges in SQL Server, above.