Using BI to Get the Most out of Account Schedules in NAV
Video-1
Video-2
Using BI to Get the Most out of Account Schedules in NAV
Video-1
Video-2
The Microsoft Dynamics NAV Server account is used by Microsoft Dynamics NAV clients to log on to the Microsoft Dynamics NAV Server instance.
The Microsoft Dynamics NAV Server then uses the service account to log on to the Microsoft Dynamics NAV database.
When you install Microsoft Dynamics NAV Server, you identify an Active Directory account to provide credentials for the server. By default, Setup runs Microsoft Dynamics NAV Server under the Network Service account, a predefined local account used by the service control manager. This account has minimum privileges on the local computer and acts as the computer on the network.
Microsoft recommends that you create a domain user account for running Microsoft Dynamics NAV Server.
The Network Service account is considered less secure because it is a shared account that can be used by other unrelated network services. Any users who have rights to this account have rights to all services that are running on this account.
If you create a domain user account to run Microsoft Dynamics NAV Server, you can use the same account to run SQL Server, whether or not SQL Server is on the same computer.
Because Microsoft Dynamics NAV Setup and the New-NavDatabase cmdlet configure the required permissions for the Microsoft Dynamics NAV Server account, you will typically use the procedures in this topic when you change the Microsoft Dynamics NAV Server account for an existing installation.
To provision a Microsoft Dynamics NAV Server account, complete the following procedures as described in this topic:
Provisioning a Domain User Account
If you are running the Microsoft Dynamics NAV Server under a domain user account, you must:
Enabling the account to log in as a service
Depending on various factors, the account may or may not already have this ability.
For example, if you have already installed SQL Server and configured it to run under the same account, SQL Server will have modified the account to log in as a service.
Add the Log on as a service Right to an Account
Considered for Windows 8.1, for other versions please check accordingly.
You can use this procedure to add the Log on as a service right to an account on your computer.
Membership in the local Administrators group, or equivalent, is the minimum required to complete these procedures.
To add the “Log on as a service” right to an account on your local computer
To add the “Log on as a service” right to an account for a Group Policy object, when you are on a server that is joined to a domain or a domain controller
When this permission is lacking, Microsoft Dynamics NAV Server server instances may not be able to start.
Enabling the account to register an SPN on itself
To enable secure mutual authentication between clients and Microsoft Dynamics NAV Server, you must configure the Microsoft Dynamics NAV Server account to self-register Service Principal Names (SPNs).
Mutual authentication is recommended in a production environment but may not be necessary in a testing or staging environment. The following procedure assumes a computer running Windows Server 2008 or Windows Server 2008 R2. On Windows 7 or Windows Vista you would need to install the Remote Server Administration Tools first.
To enable the Microsoft Dynamics NAV Server account to register an SPN on itself
Giving the account necessary database privileges in SQL Server
The Microsoft Dynamics NAV Server account must be a member of the db_owner database role on the Microsoft Dynamics NAV database.
When you install the Microsoft Dynamics NAV database by using Microsoft Dynamics NAV Setup or the New-NAVDatabase PowerShell cmdlet, you can specify the Microsoft Dynamics NAV Server account.
In these cases, the server account that you specify should already have the necessary privileges in SQL Server. If you change the Microsoft Dynamics NAV Server account for an existing installation, then you should verify the account has the required privileges in SQL Server.
To verify database privileges after you create your Microsoft Dynamics NAV database, use SQL Server Management Studio and, if necessary, modify database privileges.
If you installed the Demo option in Microsoft Dynamics NAV Setup, then the Network Service account already has the necessary database privileges.
To assign necessary database privileges for the Microsoft Dynamics NAV Server account
It is also possible to script these steps in SQL Server Management Studio:
USE [master]
GO
CREATE LOGIN [domain\accountname] FROM WINDOWS
CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]
GRANT SELECT ON [master].[dbo].[$ndo$srvproperty] TO [domain\accountname]
GO
USE [Microsoft Dynamics NAV Database]
GO
CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]
ALTER ROLE [db_owner] ADD MEMBER [domain\accountname]
GRANT VIEW DATABASE STATE TO [domain\accountname]
Provisioning the Network Service Account
The only circumstance where it is necessary to take any action with regard to the Network Service account is when change the Microsoft Dynamics NAV Server account on an existing installation from a domain account to the Network Service.
In this situation you must verify that the account has the necessary database privileges in SQL Server, as per Giving the account necessary database privileges in SQL Server, above.
To start with this exercise you need to first create certificate and certificate revocation list, if not yet created refer to previous post.
Previous Step Link- How to create a root CA and a private key file by using the makecert.exe utility
Previous Step Link- How to create certificate revocation list for the root certification authority
Previous Step Link- How to create and install a test certificate for the Microsoft Dynamics NAV Server computer
Let’s start with this exercise:
In the Select Users, Computers, Service Accounts, or Groups dialog box, enter the name of the service account that is used by Microsoft Dynamics NAV Server By default, the service account is NETWORK SERVICE. Choose OK when done.
Security Note
In a production environment, you run Microsoft Dynamics NAV Server under a dedicated domain user account instead of the less secure NETWORK SERVICE account. Because this is a test implementation, the NETWORK SERVICE account is acceptable.
Copy or note the value of the Thumbprint field.
In next step we will Implement Security Certificates and configure Microsoft Dynamics Server and update configuration file for Windows & Web Clients to support login over a WAN.
Next Step Link- Implementing Security Certificates.