13 September 2016

Connecting the NAV Role Tailored Client over a Wide Area Network

Hi All, 


This topic contains information about how to implement a secure Microsoft Dynamics NAV Windows client connection to Microsoft Dynamics NAV Server over a wide area network (WAN). 


Below Process seems to be big but the process is repetitive and will not take much time once you start with it .



Configuring Microsoft Dynamics NAV Server

Step 1 : Please create a new user to test RTC Connection over WAN

To create a new user

1. In Navision in the Search box, enter Users, and then choose the related link.

2. In the Users window, on the Home tab, choose New.

3. In the User Card window, on the General FastTab, fill User Name.

4. To set up a user for NavUserPassword authentication, on the NAV Password Authentication FastTab, choose the Password field to specify a password for the user.

5. If you want to require the user to change the password after they log in for the first time, select User must change password at next login.The first time that the user logs on, a prompt will appear prompting the user to change the password

6. Give relevant roles.



Step 2 : Create and install a root certification authority (CA) and a server certificate on the computer running Microsoft Dynamics NAV Server


Step 2.1 : To create a root CA and a private key file by using the makecert.exe utility

1. On the computer running Microsoft Dynamics NAV Server, create a temporary folder to use when you work with certificates.


2. Open the command prompt as follows:

2.1 If you have Visual Studio installed on your computer, choose Start, choose All Programs, choose Microsoft Visual Studio 2010, choose Visual Studio Tools, and then right-click Visual Studio Command Prompt and choose Run as Administrator.
2.2  If you have the Windows SDK installed on your computer, choose Start, choose All Programs, choose Microsoft Windows SDK, and then right-click Windows SDK Command Prompt (2010) (or CMD Shell) and choose Run as Administrator.

3. Create one folder to store certificates
At the command prompt, go to created folder and then type following command. (i.e. E:\TestCertificates>makecert -n "CN=RootNavServiceCA" -r -sv RootNavServiceCA.pvk RootNavServiceCA.cer)

5. When you are prompted, enter a password.
You need this password to create the service certificate.

6. The RootNavServiceCA.cer certificate file and the RootNavServiceCA.pvk private key are saved in your temporary folder.


Step 2.2 : To use the Certificates snap-in to install the root CA on the computer running Microsoft Dynamics NAV Server


1. Start the Certificates snap-in for MMC on the computer running Microsoft Dynamics NAV 
Server, and then add the Certificates snap-in.
2. Choose Start, choose Run, and then type Mmc.exe.
Go to File -->Add or Remove Snap-ins & Select Certifcates and Click Add
3. In the Certificates snap-in dialog box, choose Computer account, and then choose Next.
4. In the Select Computer pane, choose Local computer: (the computer this console is running on), and then choose Finish.
5. Choose OK to close the Add or Remove Snap-ins dialog box.
6. In the left pane of MMC, expand the Certificates (Local Computer) node.
7. Expand the Trusted Root Certification Authorities node, right-click the Certificates 
subfolder, select All Tasks, and then choose Import.
8. In the Certificate Import Wizard, on the Welcome page, choose Next.
9. On the File to Import page, choose Browse.
10. Browse to the location of the RootNavServiceCA.cer certificate file, select the file, and then choose Open.
11. On the File to Import page, choose Next.
12. On the Certificate Store page, accept the default selection, and then choose Next.
13. On the Completing the Certificate Import Wizard page, choose Finish.

The RootNavServiceCA certificate is now visible in the list of trusted root CAs.



You now create a certificate revocation list for the root certification authority and then install the certificate revocation list on the computer running Microsoft Dynamics NAV Server. A certificate revocation list is required because WCF applications check the revocation list when validating certificates.

Step 2.3 : To create a certificate revocation list for the root certification authority 

1. At the command prompt, type the following command: (i.e. E:\TestCertificates> makecert -crl -n "CN=RootNavServiceCA" -r -sv RootNavServiceCA.pvk RootNavServiceCA.crl)

2. When you are prompted, enter the password that you used to create the root CA.


Step 2.4 : To install the certificate revocation list on the computer running Microsoft Dynamics NAV Server 

1. In the Certificates snap-in, in the left pane of MMC, expand the Certificates (Local Computer) node. 


2. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then choose Import.

3. In the Certificate Import Wizard, on the Welcome page, choose Next.
4. On the File to Import page, choose Browse.
5. In the File Type field, select Certificate Revocation List (*.crl).
6. Browse to the location of the RootNavServiceCA.crl file, select the file, and then choose Open.
7. On the File to Import page, choose Next.
8. On the Certificate Store page, accept the default selection, and then choose Next.
9. On the Completing the Certificate Import Wizard page, choose Finish.
10. Select the Trusted Root Certificate Authorities node, and then refresh the snap-in.
 A Certificate Revocation List folder that contains the RootNavServiceCA.crl file has been    created.


Step 2.5 : To create and install a test certificate for the Microsoft Dynamics NAV Server computer

1.At the command prompt, type the following command:

2. makecert -sk NavServiceCert -iv RootNavServiceCA.pvk -n "CN=NavServiceCert" -ic RootNavServiceCA.cer -sr localmachine -ss my -sky exchange -pe NavServiceCert.cer

Note : This command specifies the subject’s certificate name as NavServiceCertYou need this certificate name when you configure the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components.

3. When you are prompted, enter the password that you used to create the root CA

4. Select the Trusted Root Certificate Authorities node, and then refresh the snap-in

You now have the NavServiceCert.cer certificate file in your temporary folder. The certificate is installed under the Personal node in the Certificates Snap-in.


Step 2.6 : To grant access to the certificate’s private key to the service account for Microsoft Dynamics NAV Server

1. In the left pane of MMC, expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder. 

2. In the right pane, right-click the NavServiceCert certificate, choose All Tasks, and then choose Manage Private Keys

3. In the Permissions for NavServiceCert private keys dialog box, choose Add.

4. In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the service account that is used by Microsoft Dynamics NAV Server By default, the service account is NETWORK SERVICE. Choose OK when done. 

Note : In a production environment, you run Microsoft Dynamics NAV Server under a dedicated domain user account instead of the less secure NETWORK SERVICE account. Because this is a test implementation, the NETWORK SERVICE account is acceptable.

5. In the Permissions for NavServiceCert private keys dialog box, select the account, and then select the Allow check box next to Full Control. Choose OK when done. 

6. In the right pane, double-click the NavServiceCert certificate.


7. In the Certificate dialog box, choose the Details tab, and then select the Thumbprint field.

8. Copy or note the value of the Thumbprint field.


Step 2.7 : To modify the Microsoft Dynamics NAV Server configuration file to support login over a WAN

1. Go to NAV Administration Tool, select the Instance and modify the following settings
Credential Type : NAVUserPassword
Certificate Thumbprint : Paste the thumb Print obtained from previous step Step 2.6

2. Restart The NAV Instance.





Step 3 : Configuring Microsoft Dynamics NAV Client

With the chain trust configuration, only the root CA and the certificate revocation list must be installed for the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components.


Step 3.1 : To install the root CA

  1. Start the Certificates snap-in for MMC on the computer running the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components, and then add the Certificates snap-in.
  2. In the Certificates snap-in dialog box, choose Computer account, and then choose Next.
  3. In the Select Computer pane, choose Local computer: (the computer this console is running on), and then choose Finish.
  4. Choose OK to close the Add or Remove Snap-ins dialog box.
  5. In the left pane of MMC, expand the Certificates (Local Computer) node.
  6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then choose Import.
  7. In the Certificate Import Wizard, on the Welcome page, choose Next.
  8. On the File to Import page, choose Browse.
  9. Browse to the location of the RootNavServiceCA.cer certificate file, select the file, and then choose Open.
  10. On the File to Import page, choose Next.
  11. On the Certificate Store page, accept the default selection, and then choose Next.
  12. On the Completing the Certificate Import Wizard page, choose Finish.

Step 3.2 :To install the certificate revocation list

  1. Start the Certificates snap-in for MMC on the computer running the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web client, and then add the Certificates snap-in.
  2. In the Certificates snap-in dialog box, choose Computer account, and then choose Next.
  3. In the Select Computer pane, choose Local computer: (the computer this console is running on), and then choose Finish.
  4. Choose OK to close the Add or Remove Snap-ins dialog box.
  5. In the left pane of MMC, expand the Certificates (Local Computer) node.
  6. Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then choose Import.
  7. In the Certificate Import Wizard, on the Welcome page, choose Next.
  8. On the File to Import page, choose Browse.
  9. In the File Type field, select Certificate Revocation List (*.crl).
  10. Browse to the location of the RootNavServiceCA.crl file, select the file, and then choose Open.
  11. On the File to Import page, choose Next.
  12. On the Certificate Store page, accept the default selection, and then choose Next.
  13. On the Completing the Certificate Import Wizard page, choose Finish.

Step 3.3 : To modify the Microsoft Dynamics NAV client configuration file to add certificate information

1. Open the ClientUserSettings.config configuration file
The location of this file is Users\<username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV

2. Modify the following settings
 ClientServicesCredentialType : NAVUserPassword
 DnsIdentity : NavServiceCert

3. Save and close the file.


Step 4 : Open the Microsoft Dynamics NAV windows Client and you will be prompted for valid user name and password. 


For NAV Web Client please configure Step 3.3  in web. config file
The location of this file is %systemroot%\inetpub\wwwroot\DynamicsNAV71\


Note : The Config file keys 
ClientServicesCredentialType  & DnsIdentity  are Case Sensitive. Please make sure they are exactly matching on Client and Server.

Also, Please make sure the Regional Date & Time Zone are Same for both Client and Server.



Thanks & Regards,
Nandesh Gowda

No comments:

Post a Comment