Using security certificates with Business Central on-premises
You use certificates to help secure connections over a wide area network (WAN), such as connections from the Business Central Web Server, Dynamics NAV Client connected to Business Central, and web services to the Business Central Server. Implementing security certificates on your deployment environment requires modifications to various components, like the Business Central Server, Business Central Web Server, and clients.
About security certificates
A certificate is a file that Business Central Server uses to prove its identity and establish a trusted connection with the client that is trying to connect. Business Central can support the following configurations:
- Chain trust, which specifies that each certificate must belong to a hierarchy of certificates that ends in a root authority at the top of the chain.
- Peer trust, which specifies that both self-issued certificates and certificates in a trusted chain are accepted.
The implementation in this section describes the chain trust configuration, which is the more secure option.
Note
An instance of Business Central Server that has been configured for secure WAN communication always prompts users for authentication when they start the client, even when the client computer is in the same domain as Business Central Server.
Certificates for production
In a production environment, you should obtain a certificate from a certification authority or trusted provider. Some large organizations might have their own certification authorities, and other organizations can request a certificate from a third-party organization.
Obtaining certificates
You implement chain trust by obtaining X.509 service certificates from a trusted provider. These certificates and their root certification authority (CA) certificates must be installed in the certificates store on the computer that is running Business Central Server. The CA certificate must also be installed in the certificate store on computers that are running the Business Central Web Server so that clients can validate the server.
Most enterprises and hosting providers have their own infrastructure for issuing and managing certificates. You can also use these certificate infrastructures. The only requirement is that the service certificates must be set up for key exchange and therefore must contain both private and public keys. Additionally, the service certificates that are installed on Business Central Server instances must have the Service Authentication and Client Authentication certificate purposes enabled.
Important
Microsoft recommends against using wildcard SSL certificates in Business Central installations. Wildcard certificates pose security risks because if one server or sub-domain is compromised, all sub-domains may be compromised. Wildcard certificates also introduce a new style of impersonation attack. In this attack, the victim is lured to a fraudulent resource in the certified domain through phishing. Conventional certificates detect this attack, because the user’s browser checks that the private key is hosted on a server whose name matches the one displayed in the browser’s address window.
Run the certificates snap-in for Microsoft Management Console
Some of the following procedures use the Certificates snap-in for Microsoft Management Console (MMC). If you don't already have this snap-in installed, you can add it to the MMC. Learn more at Add the Certificates Snap-in to an MMC.
Install and configure the certificates
You install the security certificates on the computers running Business Central Server, Business Central Web Server, and Dynamics NAV Client connected to Business Central. The root CA certificate and the service certificate are used in the configuration, but client certificates aren't.
Install certificates on components
Follow the installation instructions that are available from your certificate provider to install the root CA and service certificates on the following computers:
- Install the root CA on the computer that is running Business Central Server and all computers that are running Business Central Web Server instances and Dynamics NAV Client connected to Business Central.
- Install the service certificate on the computer that is running Business Central Server only.
Make sure that the Server Authentication and Client Authentication certificate purposes are enabled for the service certificate.
A certificate can be enabled for several different purposes. The Server Authentication and Client Authentication purposes must be enabled. You can enable or disable other purposes to suit your requirements.
You enable certificate purposes by using the Certificates Snap-in for MMC. For more information, see Modify the Properties of a Certificate.
Grant access to the Business Central Server service account
After you install the root CA and the service certificate on the Business Central Server computer, grant access to the service account, so the account can access the service certificate's private key.
In the left pane of MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.
In the right pane, right-click the certificate, select All Tasks, and then choose Manage Private Keys.
In the Permissions dialog box for the certificate, choose Add.
In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the dedicated domain user account that is associated with Business Central Server, and then choose the OK button.
In the Full Control field, select Allow, and then choose the OK button.
In the right pane, select the certificate.
In the Certificate dialog box, choose the Details tab, and then select the Thumbprint field.
Copy the value of Thumbprint field.
For example, copy the hexadecimal characters to text editor, such as Notepad. Delete all spaces from the thumbprint string. If the thumbprint is
c0 d0 f2 70 95 b0 3d 43 17 e2 19 84 10 24 32 8c ef 24 87 79
, then change it toc0d0f27095b03d4317e219841024328cef248779
.Tip
It is important that the thumbprint does not contain any invisible extra characters; otherwise you will experience problems when using it later. Learn more at Certificate thumbprint displayed in MMC certificate snap-in has extra invisible unicode character.
Configure the Business Central Server instance
The Business Central Server instance configuration includes several settings for certificates and enabling remote logins. You can modify a server instance by using Business Central Server Administration tool (version 20 and earlier only) or Business Central Administration Shell. Learn more about how to modify a server instance in Configuring Business Central Server.
Using Business Central Administration Shell
Run the Business Central Administration Shell as an administrator. Learn more in Administration Shell.
At the prompt, run the following command to specify the certificate thumbprint:
Set-NAVServerConfiguration -ServerInstance <BC server instance> -KeyName ServicesCertificateThumbprint -KeyValue <thumbprint>
Substitute
<BC server instance>
with name of your server instance, likeBC240
.Run the following command to specify SSL between the web client and Business Central Server:
Set-NAVServerConfiguration -ServerInstance <BC server instance> -KeyName ClientServicesSSLEnabled -KeyValue true
Note
This step is only for version 21 and later.
Run the following commands to secure SOAP and OData web services:
Set-NAVServerConfiguration -ServerInstance <BC server instance> -KeyName SOAPServicesSSLEnabled -KeyValue true
Set-NAVServerConfiguration -ServerInstance <BC server instance> -KeyName ODataServicesSSLEnabled -KeyValue true
Using Business Central Server Administration tool
The Business Central Server Administration tool is only available for version 20 and earlier.
Run the Business Central Server Administration tool.
Under General, change the following settings for the Business Central Server instance.
Setting New value Description Credential Type Windows
,NavUserPassword
,Username
, orAccessControlService
The default value is Windows
. When you change it toNavUserPassword
,Username
, orAccessControlService
, client users who connect to the server are prompted for user name and password credentials.Certificate Thumbprint Value of the Thumbprint field in the previous procedure. Remove any leading or trailing spaces in the thumbprint. If you want to use secure web services, then under SOAP Services and OData Services, select the Enable SSL check box.
Save and the new values for the server instance.
Restart the Business Central Server instance.
If there's a problem, see Windows Event Viewer.
Configure the Business Central Web Server
The chain trust configuration allows client users to sign in instances of Business Central Server as long as their login credentials are associated with user accounts in Business Central. The client validates that the server certificate is signed with the root CA.
After you install the root CA on the computer running the Business Central Web Server, modify the client configuration file.
Modify the Business Central Web client configuration file
To configure the Business Central Web Server, you need the subject name, also known as the common name (CN), of the certificate that is used on the computer that is running Business Central Server.
You can configure the Business Central Web Server using the Business Central Administration Shell or changing the navsettings.json file manually.
Using Business Central Administration Shell
Run the Business Central Administration Shell as an administrator. For more information, see Administration Shell.
At the prompt, run the following commands:
Set-NAVWebServerInstanceConfiguration -WebServerInstance <web server instance> -KeyName DnsIdentity -KeyValue <certificate subject name or common name>
This following command is only required for version 21 and later:
Set-NAVWebServerInstanceConfiguration -WebServerInstance <web server instance> -KeyName ServerHttps -KeyValue true
Substitute
<web server instance>
with name of your web server instance, likeBC240
.
Manually changing the navsettings.json
On the computer where the Business Central Web Server is installed, open the navsetting.json configuration file in a text editor, such as Notepad.
Change the following settings:
Key New value Description ClientServicesCredentialType Windows
,NavUserPassword
,Username
, orAccessControlService
The default value is Windows
. When you change it toNavUserPassword
,Username
, orAccessControlService
, client users who connect to the server are prompted for user name and password credentials.DnsIdentity The subject name of the service certificate The default value is <identity>. Replace this value with the subject name or common name (CN) of the certificate that is used on the computer that is running Business Central Server. ServerHttps true
The default value is false
. This key is only available in version 21 and later, so it doesn't need to be set in earlier versions.Save the navsettings.json configuration file.
Configure Dynamics NAV Client connected to Business Central
Note
This section only applies to Business Central Spring 2019, version 14. Dynamics NAV Client connected to Business Central isn't supported in later versions.
After you install the root CA on the computer running the Dynamics NAV Client connected to Business Central, you must modify the client configuration file.
Modify the Dynamics NAV Client connected to Business Central configuration file
Open the ClientUserSettings.config configuration file.
The location of this file is Users\<username>\AppData\RoamingLocal\Microsoft\Dynamics 365 Business Central\<version>.
By default, this file is hidden. Therefore, you might have to change your folder options in Windows Explorer to view hidden files.
Note
If you want to change default Dynamics NAV Client connected to Business Central settings for all future users, edit the default ClientUserSettings.config file—that is, the one in C:\Program Files (x86)\Microsoft Dynamics 365 Business Central\NNN. Be sure that you run your text editor with Administrator privileges when you do so.
Modify the following settings.
Key New value Description ClientServicesCredentialType NavUserPassword
,Username
, orAccessControlService
The default value is Windows
. When you change it toNavUserPassword
,Username
, orAccessControlService
, client users are prompted for user name and password credentials.DnsIdentity The subject name of the service certificate. The default value is <identity>. Replace this value with the subject name or common name (CN) of the certificate that is used on the computer that is running Business Central Server. Save and close the ClientUserSettings.config file.
When users start the Dynamics NAV Client connected to Business Central, they're prompted for a valid user name and password.