Wednesday, March 30, 2016
NAV 2016 has brought a lot of new features of which most exciting one is Workflow. However, to test how approvals can be implemented using Workflows, at least 2 users have to be created. To start with, I have restored NAV2016 Cronus database and took time to figure out how approval functionality could be tested.
To have at least 2 users in local NAV2016 database you need to configure NAV Service Instance with Credential Type NavUserPassword and in order to do this you have to implement Security Certificate on the server.
In general you could follow these msdn guidelines but to make it easier for you, I am sharing what should be done in more detailed steps at this blog post.
Once a valid, trusted and signed certificate is configured, users can be created and Windows client launched.
Prerequisites
1. Certificates snap-in for Microsoft Management Console (MMC)
- Run mmc.exe as administrator
- In the Certificates snap-in dialog box, choose Computer account, and then choose Next.
- In the Select Computer pane, choose Local computer: (the computer this console is running on), and then choose Finish.
- Choose OK to close the Add or Remove Snap-ins dialog box.
- In the left pane of MMC, expand the Certificates (Local Computer) node.
2. "SQL Server Windows Authentification mode" has to be selected:
Quick overview of process schema:
STEP 1
Implement Security Certificate
1. Create a root CA and a private key file and install it.
- On the computer running Microsoft Dynamics NAV Server, create a temporary folder to use when you work with certificates (let‘s say C:/Certificates)
- Run Visual Studio Command Prompt and choose Run as Administrator
- At the command prompt, locate the temporary directory (in my case cd C:/Certificates)
- Type command:
makecert -n "CN=RootNavServiceCA" -r -sv RootNavServiceCA.pvk RootNavServiceCA.cer
- When prompted, create a password. Enter the same password in the second window that pops up. Make sure you remember this password as you will need to enter it in the future.
- Review 2 created files in your temporary directory.
1. Create a root CA and a private key file and install it.
- In the left pane of MMC, expand the Certificates (Local Computer) node.
- Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then choose Import -> Next
- On the File to Import page, choose Browse -> In the File Type field, select (*.cer).
- Browse to the location of the RootNavServiceCA.crl file (in my case C:/Certificates), select the file, and then choose Open -> Next
- On the Certificate Store page, accept the default selection, and then choose Next -> Finish
- Select the Trusted Root Certificate Authorities node, and then refresh the snap-in.
- The RootNavServiceCA certificate is now visible in the list of trusted root CAs.
2. Create a certificate revocation list for the root certification authority and install it
- In Visual Studio Command Prompt being in same temporary directory type comand
makecert -crl -n “CN=RootNavServiceCA” -r -sv RootNavServiceCA.pvk RootNavServiceCA.crl
- When you are prompted, enter the password that you used to create the root CA.
- Review new created RootNavServiceCA.crl certificate revocation file in your temporary folder
2. Create a certificate revocation list for the root certification authority and install it
- In the left pane of MMC, expand the Certificates (Local Computer)node -> Expand the Trusted Root Certification Authorities node, right-click the Certificates subfolder, select All Tasks, and then choose Import -> Next
- On the File to Import page, choose Browse -> In the File Type field, select Certificate Revocation List (*.crl).
- Browse to the location of the RootNavServiceCA.crl file (in my case C:/Certificates), select the file, and then choose Open -> Next
- On the Certificate Store page, accept the default selection, and then choose Next -> Finish
- Select the Trusted Root Certificate Authorities node, and then refresh the snap-in.
- A Certificate Revocation List folder that contains the RootNavServiceCA.crl file has been created.
3. Create and install a test certificate for the Microsoft Dynamics NAV Server computer
- In Visual Studio Command Prompt being in same temporary directory type comand:
makecert -sk NavServiceCert -iv RootNavServiceCA.pvk -n “CN=NavServiceCert” -ic RootNavServiceCA.cer -sr localmachine -ss my -sky exchange -pe NavServiceCert.cer
Note: this command specifies the subject’s certificate name as NavServiceCert. You need this certificate name when you configure the Microsoft Dynamics NAV Windows client or Microsoft Dynamics NAV Web Server components.
- When you are prompted, enter the password that you used to create the root CA.
- Select the Trusted Root Certificate Authorities node, and then refresh the snap-in
- You now have the NavServiceCert.cer certificate file in your temporary folder. The certificate is installed under the Personal node in the Certificates Snap-in.
4. Grant access to the certificate’s private key to the service account for Microsoft Dynamics NAV Server
- In the left pane of MMC expand the Certificates (Local Computer) node, expand the Personal node, and then select the Certificates subfolder.
- In the right pane, right-click the NavServiceCert certificate, choose All Tasks, and then choose Manage Private Keys.
- In the Permissions for NavServiceCert private keys dialog box, choose Add.
- In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the service account that is used by Microsoft Dynamics NAV Server By default, the service account is NETWORK SERVICE. Choose OK when done.
- In the Permissions for NavServiceCert private keys dialog box, select the account, and then select the Allow check box next to Full Control. Choose OK when done.
- In the right pane, double-click the NavServiceCert certificate.
- In the Certificate dialog box, choose the Details tab, and then select the Thumbprint field (in the end of the list)
- Copy Thumbprint to text editor and remove all the spaces and hidden characters. This result will be needed to Configure NAV Service Instance.
STEP 2
Configure NAV Service Instance
Run Dynamics NAV Administration and either create new instance or change properties of already existing NAV2016 instance
General FastTab:
- Credential Type: NavUserPassword
- Certificate Thumbprint: from previous step
Client Service FastTab:
- Protection Level: EncryptAndSign
Note: in case you are creating new instance, then ALL Ports must be different from the ones in existing instances
Both cases you must provide Databse Name and Server Database FastTab
- Restart Service
STEP 3
Configure Windows Client
Open the ClientUserSettings.config configuration file with notepad. The location of this file:
C:\Users\<username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\90
Note: by default, this file is hidden. Therefore, you may have to change your folder options in Windows Explorer to view hidden files.
Modify the following settings:
- ClientServicesCredentialType: NavUserPassword
- DnsIdentity: Certificate Name from previouse step, in this case NAVServiceCert
If needed, update other settings, i.e. Server, ClientServicePort, ServerInstance.