Authenticating Business Central Users with NavUserPassword

NavUserPassword is an authentication method that's handled by Business Central Server, but isn't based on Windows users or Active Directory. Each user is set up with a user name and password that's configured inside Business Central only. The user is prompted for username/password credentials when they start the client.

Caution

Microsoft recommends that you don’t use NavUserPassword authentication. Microsoft Entra ID and Windows authentication are more secure alternatives. You should only use NavUserPassword authentication when Microsoft Entra ID and Windows authentication aren't viable.

Preparation

Obtain and set up security certificates on the Business Central deployment. NavUserPassword authentication requires the use of service certificates to help secure client connections over a wide area network (WAN). In a production environment, you should obtain a certificate from a certification authority or trusted provider. In a test environment, if you don't have a certificate, then you can create your own self-signed certificate. The implementation of certificates involves installation and configuration of the certificates on the Business Central Server server and client computers.

Learn more in Using Certificates to Secure Connections.

Important

As you follow the instructions, don't change the credential type used by Business Central Server and Business Central Web Server for now. You'll change it later in this article.

Task 1: Set up your Business Central user account with a password

You can postpone this task for other users, but you must do this task for your user account. If you don't, you won't be able to sign in to Business Central after you switch to NavUserPassword authentication.

  1. Open the Business Central client.
  2. Go to the Users page, then open your user account.
  3. Under Business Central Password Authentication, choose the Review or update the value for password. button next to the Password field.
  4. Enter the password in the Password and Confirm Password fields, then choose OK.

You're now done with setting up your account.

Task 2: Configure Business Central Server

You can configure the Business Central Server by using the Business Central Server Administration tool or Business Central Administration Shell.

  1. Run Business Central Administration Shell as an administrator.

    To configure the server instance in the next steps, you'll use the Set-NAVServerConfiguration cmdlet.

  2. Set the ClientServicesCredentialType to NavUserPassword.

    Set-NAVServerConfiguration -ServerInstance <BC server instance name>  -KeyName ClientServicesCredentialType -KeyValue NavUserPassword
    
  3. Restart the server instance.

    Restart-NAVServerInstance -ServerInstance <BC server instance name>
    

Task 3: Configure Business Central Web Server components

Configure the Business Central Web Server components to use NavUserPassword as the credential type.

  1. Open the navsettings.json for the Business Central Web Server in a text or code editor, such as Notepad or Visual Studio Code.

  2. Set the ClientServicesCredentialType key value to NavUserPassword.

    "ClientServicesCredentialType":  "NavUserPassword",
    
  3. Save the navsettings.json file

Learn more in Configure Configuring Business Central Web Server Instances.

Next steps

  1. Set up other Business Central users with a Business Central password, like you did in Task 1.
  2. (Optional) Set web service accounts as needed. For more information, see How to use an Access Key for SOAP and OData Web Service Authentication.

Authentication and Credential Types
Troubleshooting: SAML2 token errors with Microsoft Entra ID/Office 365 Authentication
Migrating to Multitenancy