Authentication and Credential Types for Dynamics 365 Business Central
In Business Central online, users are added through the Microsoft 365 admin center. Once users are created in Microsoft 365, they can be imported into the Users window in Business Central. For more information, see Managing Users and Permissions in the business functionality content.
Configuring Authentication for On-Premises Deployments
An on-premises deployment of Business Central supports several credential authorization mechanisms for users. When you create a user, you provide different information depending on the credential type that you're using in the current Business Central Server instance.
All users of a Business Central Server instance must be using the same credential type. In on-premises deployments, you can specify which credential type is used for a particular Business Central Server instance in the Business Central Server Administration tool.
Business Central on-premises supports the following credential types.
|Windows||With this credential type, users are authenticated using their Windows credentials. You can only specify Windows as the credential type if the corresponding user exists in Windows (Active Directory, local workgroup, or the local computer’s users). Because they're authenticated through Windows, Windows users aren't prompted for credentials when they access Business Central.|
|UserName||With this setting, the user is prompted for username/password credentials when they access Business Central. These credentials are then validated against Windows authentication by Business Central Server. There must already be a corresponding user in Windows. Security certificates are required to protect the passing of credentials across a wide-area network. Typically, this setting should be used when the Business Central Server computer is part of an authenticating Active Directory domain, but the computer where the Dynamics NAV Client connected to Business Central is installed isn't part of the domain.|
|NavUserPassword||With this setting, authentication is managed by Business Central Server but isn't based on Windows users or Active Directory. Each user is set up with a user name and password that's configured inside Business Central only. The user is prompted for username/password credentials when they start the client. Security certificates are required to protect the passing of credentials. For more information, see Authenticating Users with NavUserPassword.|
|AccessControlService||With this setting, Business Central relies on Azure Active Directory (Azure AD) for user authentication services.
Azure AD is a cloud service that provides identity and access capabilities, such as for applications on Azure, in Microsoft 365, and for applications that install on-premises. If the Business Central Server instance is configured to use AccessControlService authentication, you can specify an Azure AD account for each user in the Office 365 Authentication field so that they can access both the Business Central and their Microsoft 365 site. Also, if you use Business Central in an app for SharePoint, users have single sign-on between the SharePoint site and Business Central. For more information, see Authenticating Users with Azure Active Directory or Authenticating Users with Active Directory Federation Services.
Security certificates are required to protect the passing of credentials across a wide-area network.
|None||For internal use on system sessions and typically shouldn't be used. If you choose None, then the Business Central Server instance can't start.|
|ExchangeIdentity, TaskScheduler, and Impersonate||For internal use only. Don't use.|
If Business Central Server is configured to use NavUserPassword or AccessControlService authentication, then the username, password, and access key can be exposed if the SOAP or OData data traffic is intercepted and the connection string is decoded. To avoid this condition, configure SOAP and OData web services to use Secure Socket Layer (SSL). For more information, see How to: Implement Security Certificates in a Production Environment in the ITPro content for Microsoft Dynamics NAV 2018.
Configuring the Credential Type for Client and Server
For on-premises deployment, you must make sure that clients and Business Central Server are configured to use the same credential type.
When you change the credential type for a Business Central Server instance and the relevant client configurations, the changes take effect when you restart the Business Central Server instance and users connect to the instance again.
To edit the configuration for the Business Central Server instance, you can use either the Business Central Server Administration tool or the Business Central Administration Shell. In the Business Central Server Administration tool, you configure the credential type in the Credential Type field on the General tab. Also, you can edit the CustomSettings.config file. For more information, see Configuring Business Central Server.
In the relevant configuration file, find the ClientServicesCredentialType parameter and change the value to one of the options listed earlier.
For each Dynamics NAV Client connected to Business Central user, you must modify the ClientUserSettings.config file. The default location for this file is C:\Users\<username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\130, where <username> is the name of the user. For more information, see Configuring the Microsoft Dynamics NAV Windows Client in the ITPro content for Microsoft Dynamics NAV 2018.
UserName, NavUserPassword, and AccessControlService credential types require that you install and configure security certificates on components. For more information, see Using Security Certificates with Business Central On-Premises
Submit and view feedback for