Setting up proper authentication is crucial for securing NAV Business Central web services. One recommended method is using certificate thumbprints to validate users. In this article, I’ll walk through the steps to enable certificate thumbprint authentication in NAV Business Central.
Why Use Thumbprint Authentication?
Thumbprint authentication improves security by using the thumbprint (hash) from a certificate rather than just the username and password. This prevents access if the certificate is not valid.
Other benefits include:
- Two-factor authentication – Users need both the certificate and the private key, providing an extra layer of security.
- No passwords sent – The thumbprint is used instead of sending plain text passwords over the network.
- Easy revocation – Certificates can be revoked to instantly block access.
- Audit trail – Activity can be traced back to the certificate owner.
Prerequisites
Before starting, you’ll need:
- Nav Business Central environment with web services role installed
- Self-signed certificate or certificate from CA for each user
- Certificate with private key uploaded to the user’s Windows certificate store
- Admin access to Nav Business Central to configure settings
Step 1 – Configure Web Services
First, enable certificate thumbprint authentication on the web services.
- Open Nav Business Central and go to the Web Services page.
- Set Authenticate with NavUserPassword to No.
- Set Authenticate with AccessControlService to Yes.
This will disable NavUserPassword authentication and enable certificate validation.
Step 2 – Select Certificate Thumbprint
Next, specify which certificate thumbprint to use for authentication.
- Under Web Services, select Certificate Thumbprints.
- Click New and fill in the fields:
- User Security ID – The Nav user to map the certificate to
- Thumbprint – The certificate’s thumbprint value
- Repeat to add thumbprints for each user.
This maps users to their certificate thumbprints. Nav Business Central will validate these thumbprints on each request.
Step 3 – Assign Web Services Permissions
The final step is assigning permissions to the web services.
1. Go to the Web Services page for each user.
2. Under Web Service Access Keys, select New.
3. Fill in:
○ Code – A name for the key
○ Permissions – Select SOAP and OData web services
4. Set the Starting Date and Ending Date for access.
This allows the user to access the web services within the date range.
Once the permissions are assigned, the user can access Nav Business Central web services by providing their certificate. The thumbprint will be validated against the configured value before granting access.
Confirm It’s Working
To test that thumbprint authentication is working:
● Try accessing the OData or SOAP web services using a certificate not in the thumbprint list. Access should be denied.
● Access the web service using a valid certificate. It should now succeed by authorizing the thumbprint.
Benefits of Thumbprint Authentication
Implementing certificate thumbprint authentication provides many security benefits:
● Stronger validation – More secure than only username and password.
● No transmitted passwords – Thumbprints are used rather than plain text passwords.
● Two-factor security – Certificate file and private key provide two-layer protection.
● Easy revocation – Instantly revoke access by disabling the certificate.
By taking a few simple steps, you can drastically improve the security of your Nav Business Central web services. Certificates and thumbprint authentication help protect against unauthorized access and cyberattacks.