SSO: Azure AD & Dynamics Navision

Just another post in this blog series on how to setup Single Sign On with Azure Active Directory. This time: Dynamics Navision.

Microsoft offers some guidance on how to configure Single Sign On for Dynamics Navision but in my experience, it requires some investigation to set things up. Especially if you want to automate things for later use. Which is why I’m writing this post.

Pre-requisites

This guide can be used for the Dynamics Navision 2016 or 2017 version. Before you start with the installation please make sure the following pre-requisites are met:

Navision server(s)

Azure AD

  • Credentials of an Azure AD Global Admin account.
  • Create an Azure AD group to control access.
  • Create an Azure AD test user.

Azure AD

The first step is to setup an application context in Azure AD.

Setup the Azure AD configuration using the steps described in this post. Use the following URL as the Identifier and Reply URL.

https://”yourcustomaddress”/NAV/WebClient/SignIn.aspx

Where “yourcustomaddress” is your custom URL for the Navision webserver.

Now open the tab Enterprise Applications -> All applications and select the just created Navision application from the list. Click on properties and make sure the User assignment required is turned on.

nav3

Now click on Users and Groups and add a user or a group:

nav4

Dynamics Navision

Dynamics Navision requires some specific steps to setup SSO for the web and windows client. The windows client requires some additional changes in the client configuration itself as described in the upcoming configuration steps.

The first step is to make sure you have configured a TLS certificate for the Navision webserver. You can check this be opening the Navision administration console:

nav5

Lookup the subject of the certificate in the Certificate Management console. Please save this information for the later steps.
When you do not have certificate configured you can easily generate a self-signed certificate for demo/test purposes. I’d recommend to use a publicly trusted certificate for the production environment.

Make sure this certificate is added to the trusted certificate store and set the following permissions on the certificate:

nav11

Next, we enable the SSO settings on the user object(s). For this you need to open the properties of the user in the administration console and fill in the Office 365 Authentication Email. This must be identical to the username (UPN) in Azure AD.

nav7

Next we can enable the SSO configuration for the Navision server environment. This can be executed by using some specific PowerShell modules. These modules come with the installation of Navision and can be imported by the cmdlets shown below. The location of the modules are slightly different for the version 2016 and 2017:

1
2
3
4
5
6
7
8
9
#Nav2017
Import-Module "C:\Program Files\Microsoft Dynamics NAV\100\Service\NavAdminTool.ps1"
Import-Module "C:\Program Files (x86)\Microsoft Dynamics NAV\100\RoleTailored Client\NavModelTools.ps1"
Import-Module "C:\NAVDVD\NL\WindowsPowerShellScripts\NAVOffice365Administration\NAVOffice365Administration.psm1"
 
#Nav2016
Import-Module "C:\Program Files\Microsoft Dynamics NAV\90\Service\NavAdminTool.ps1"
Import-Module "C:\Program Files (x86)\Microsoft Dynamics NAV\90\RoleTailored Client\NavModelTools.ps1"
Import-Module "C:\NAVDVD\NAV.9.0.46045.NL.DVD\WindowsPowerShellScripts\NAVOffice365Administration\NAVOffice365Administration.psm1"

When you have imported these modules, you can run the script below to setup the SSO configuration for the web and windows client. Please make sure to fill in the parameters before you run the script.

10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#Nav2016/2017
$AuthnEmail = ""  #Name of the Global Admin account in AzureAD.
$CertName = ""    #Name of the certificate.
$NavUser = ""     #Name of the local navision admin user.
 
$NavServ = Get-NAVServerInstance
$NavServInstance = $NavServ.ServerInstance
 
$NavServWeb = Get-NAVWebServerInstance
$NavServWebinstance = $NavServWeb.WebServerInstance
 
$Cert = Get-ChildItem Cert:\LocalMachine\My | where-object { $_.Subject -match $CertName }
$certtumb = $cert.Thumbprint
 
set-NavSingleSignOnWithOffice365 -AuthenticationEmail $AuthnEmail  -NavServerInstance $NavServInstance  -NavUser $NavUser -NavServerCertificateThumbprint $certtumb  -NavWebServerInstanceName $NavServWebinstance

This will generate a client configuration string for the Windows client:

nav9

Now you can setup the Navision Windows client. For this you need to edit the client configuration file which is located at:

Navision 2016: <username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\90
Navision 2017: <username>\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\100

In this file, you need to change the following properties:

ClientServicesCredentialType: AccessControlService
ACSUri: Use the link generated in the previous step.

nav8

Now save the configuration and restart the Navision server.

Now you can browse to the web URL of Navision for which a redirect is initiated to Azure AD.

Also, the Windows client will direct you to Azure AD.

nav6

After a succesful login you will see the Navision dashboard and the local account name of the Navision user identity at the bottom:

nav10