KSD Consultancy

The Microsoft Dynamics NAV Server account is used by Microsoft Dynamics NAV clients to log on to the Microsoft Dynamics NAV Server instance.

The Microsoft Dynamics NAV Server then uses the service account to log on to the Microsoft Dynamics NAV database.

When you install Microsoft Dynamics NAV Server, you identify an Active Directory account to provide credentials for the server. By default, Setup runs Microsoft Dynamics NAV Server under the Network Service account, a predefined local account used by the service control manager. This account has minimum privileges on the local computer and acts as the computer on the network.

Microsoft recommends that you create a domain user account for running Microsoft Dynamics NAV Server.

The Network Service account is considered less secure because it is a shared account that can be used by other unrelated network services. Any users who have rights to this account have rights to all services that are running on this account.

If you create a domain user account to run Microsoft Dynamics NAV Server, you can use the same account to run SQL Server, whether or not SQL Server is on the same computer.

Because Microsoft Dynamics NAV Setup and the New-NavDatabase cmdlet configure the required permissions for the Microsoft Dynamics NAV Server account, you will typically use the procedures in this topic when you change the Microsoft Dynamics NAV Server account for an existing installation.

To provision a Microsoft Dynamics NAV Server account, complete the following procedures as described in this topic:

Provisioning a Domain User Account
If you are running the Microsoft Dynamics NAV Server under a domain user account, you must:

• Enable the account to log in as a service
• Enable the account to register an SPN on itself
• Give the account necessary database privileges in SQL Server

Enabling the account to log in as a service
Depending on various factors, the account may or may not already have this ability.

For example, if you have already installed SQL Server and configured it to run under the same account, SQL Server will have modified the account to log in as a service.

Add the Log on as a service Right to an Account
Considered for Windows 8.1, for other versions please check accordingly.

You can use this procedure to add the Log on as a service right to an account on your computer.

Membership in the local Administrators group, or equivalent, is the minimum required to complete these procedures.

To add the “Log on as a service” right to an account on your local computer

• To open Local Security Policy, click Start, point to Control Panel, point to Administrative Tools, and then double-click Local Security Policy.
• In the console tree, double-click Local Policies, and then click User Rights Assignment.
• In the details pane, double-click Log on as a service.
• Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

To add the “Log on as a service” right to an account for a Group Policy object, when you are on a server that is joined to a domain or a domain controller

• Click Start, point to Run, type mmc, and then click OK.
• On the File menu, click Add/Remove Snap-in.
• In Add/Remove Snap-in, click Add, and then, in Add Standalone Snap-in, double-click Group Policy Object Editor.
• In Group Policy Object, click Browse, browse to the Group Policy object (GPO) that you want to modify, click OK, and then click Finish.
• Click Close, and then click OK.
• In the console tree, click User Rights Assignment.
• Where?
• GroupPolicyObject [ComputerName] Policy
• Computer Configuration
• Windows Settings
• Security Settings
• Local Policies
• User Rights Assignment
• In the details pane, double-click Log on as a service.
• If the security setting has not yet been defined, select the Define these policy settings check box.
• Click Add User or Group, and then add the appropriate account to the list of accounts that possess the Log on as a service right.

When this permission is lacking, Microsoft Dynamics NAV Server server instances may not be able to start.
Enabling the account to register an SPN on itself
To enable secure mutual authentication between clients and Microsoft Dynamics NAV Server, you must configure the Microsoft Dynamics NAV Server account to self-register Service Principal Names (SPNs).

Mutual authentication is recommended in a production environment but may not be necessary in a testing or staging environment. The following procedure assumes a computer running Windows Server 2008 or Windows Server 2008 R2. On Windows 7 or Windows Vista you would need to install the Remote Server Administration Tools first.
To enable the Microsoft Dynamics NAV Server account to register an SPN on itself

• Start the Active Directory Users and Computers snap-in in Microsoft Management Console (MMC):

• Choose Run on the Start menu, type mmc on the command line, and the choose OK.
• When the console opens, select Add/Remove Snap-In from the File menu, select Active Directory Users and Computers, and choose Add. If you do not see Active Directory Users and Computers in the list of available snap-ins, you may need to use Server Manager to install the Active Directory Domain Services role on your server computer.

• In MMC, select Active Directory Users and Computers in the tree view and choose Advanced Features from the View menu.
• Expand the domain node in the tree view and choose Users.
• Right-click the service account, select Properties, and then choose to display the Security tab.
• Choose SELF in the Group or user names list.
• Under Permissions for SELF, in the lower part of the panel, scroll down to Write public information and select the Allow column.
• Choose OK to exit the Properties panel, and close Active Directory Users and Computers.

Giving the account necessary database privileges in SQL Server
The Microsoft Dynamics NAV Server account must be a member of the db_owner database role on the Microsoft Dynamics NAV database.

When you install the Microsoft Dynamics NAV database by using Microsoft Dynamics NAV Setup or the New-NAVDatabase PowerShell cmdlet, you can specify the Microsoft Dynamics NAV Server account.

In these cases, the server account that you specify should already have the necessary privileges in SQL Server. If you change the Microsoft Dynamics NAV Server account for an existing installation, then you should verify the account has the required privileges in SQL Server.

To verify database privileges after you create your Microsoft Dynamics NAV database, use SQL Server Management Studio and, if necessary, modify database privileges.

If you installed the Demo option in Microsoft Dynamics NAV Setup, then the Network Service account already has the necessary database privileges.

To assign necessary database privileges for the Microsoft Dynamics NAV Server account

• Start SQL Server Management Studio and connect to the instance where the Microsoft Dynamics NAV database is installed.
• Create a login for the Microsoft Dynamics NAV Server account.

• Navigate the tree view: Security, Logins
• Right-click Logins and choose New Login.
• Choose Search, and use the Select User or Group dialog box to identify the Microsoft Dynamics NAV Server account.
• Choose OK to exit the New Login dialog box.

• Add the login as a user on the master database.

• Navigate the tree view: Databases, System Databases, master, Security, Users.
• Right-click Users and choose New User.
• Choose the ellipse button at the far right of the second line in the Database User – New dialog box.
• In the Select Login dialog box, enter or browse for the login you created for the Microsoft Dynamics NAV Server account.
• Enter a name in the User name field (the first line in the Database User – New dialog box).
• Choose OK to exit the Database User – New dialog box.

• Grant the Microsoft Dynamics NAV Server login permissions on the master database. In the tree view, right-click master and choose Properties. Then do the following in the Database Properties – master dialog box.

• Under Select a Page, choose Permissions.
• Under Name, choose the login you created for the Microsoft Dynamics NAV Server account name.
• Under Permissions for <username>, on the Explicit tab, scroll down to down to the Select line, and select the check box in the Grant column.
• Choose OK to exit the Database Properties – master dialog box.
• Navigate the tree view: Databases, System Databases, master, Tables, System Tables.
• Right-click the dbo.$ndo$srvproperty table and choose Properties.
• Under Select a Page, choose Permissions.
• Choose Search, and use the Select User or Group dialog box to identify the login for the Microsoft Dynamics NAV Server account.
• Under Permissions for <username>, on the Explicit tab, scroll down to down to the Select line, and select the check box in the Grant column.
• Choose OK to exit the Table Properties – dbo.$ndo$srvproperty dialog box.

• Grant the login the necessary database roles on the Microsoft Dynamics NAV database.

• Navigate the tree view: Databases, <your Microsoft Dynamics NAV database>, Security, Users.
• Right-click Users and choose New User.
• In the Database User – New dialog box, choose the ellipse button at the far right of the second line.
• Select the login you created for the Microsoft Dynamics NAV Server account name and choose OK.
• Under Database role membership, select the db_owner check boxe.
• Choose OK to exit the Database User – New dialog box.
• Right-click your Microsoft Dynamics NAV database and choose Properties.
• Under Select a Page, choose Permissions.
• Choose Search, and use the Select User or Group dialog box to identify login you created for the Microsoft Dynamics NAV Server account.
• Under Permissions for <username>, on the Explicit tab, scroll down to down to the View database state line, and select the check box in the Grant column.
• Choose OK to exit the Database Properties dialog box for your Microsoft Dynamics NAV database.

It is also possible to script these steps in SQL Server Management Studio:

USE [master]

GO

CREATE LOGIN [domain\accountname] FROM WINDOWS

CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]

GRANT SELECT ON [master].[dbo].[$ndo$srvproperty] TO [domain\accountname]

GO

USE [Microsoft Dynamics NAV Database]

GO

CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]

ALTER ROLE [db_owner] ADD MEMBER [domain\accountname]

GRANT VIEW DATABASE STATE TO [domain\accountname]

Provisioning the Network Service Account
The only circumstance where it is necessary to take any action with regard to the Network Service account is when change the Microsoft Dynamics NAV Server account on an existing installation from a domain account to the Network Service.

In this situation you must verify that the account has the necessary database privileges in SQL Server, as per Giving the account necessary database privileges in SQL Server, above.