// Copyright © Microsoft Corporation. All Rights Reserved.
// This code released under the terms of the
// Microsoft Public License (MS-PL, http://opensource.org/licenses/ms-pl.html.)
In Microsoft Dynamics NAV 2013 R2, we introduce the ability to set up single sign-on (SSO) between an Office 365 account and a Microsoft Dynamics NAV 2013 R2 account. More precisely, the Office 365 user account is linked to a Microsoft Dynamics NAV 2013 R2 user account.
Implementing SSO requires that you correctly set up various elements, including a Windows Azure account for managing the Windows Azure Active Directory (Windows Azure AD) tenant, the Microsoft Dynamics NAV Server, and the Microsoft Dynamics NAV Web Server.
As part of a hotfix for Microsoft Dynamics NAV 2013 R2, we have provided an extension to the Best Practices Analyzer (BPA) tool. The extension can be used to validate the setup for your single sign-on application. The approach is as follows: you provide a simple set of parameters, and then the tool validates the setup to see whether it is correct for single sign-on.
This blog post describes the principles of single sign-on between Office 365 and Microsoft Dynamics NAV 2013 R2. It provides a short introduction to setting up SSO, information about how to use the BPA tool for validation, and a list of resources for additional information, including videos and Help documentation.
The authentication for SSO is handled by three parties. It is based on the first party being Office 365, the second being Microsoft Dynamics NAV 2013 R2 and the third party being the Windows Azure Active Directory (Windows Azure AD) service. Microsoft Dynamics NAV 2013 R2 trusts Windows Azure AD and Office 365 trusts Windows Azure AD, however, Microsoft Dynamics NAV 2013 R2 and Office 365 do not trust each other.
The Windows Azure AD is the identity management service for Office 365. The credentials that you use to sign in to Office 365 are the same credentials that you use to sign in to the Windows Azure Management Portal (http://manage.windowsazure.com). By definition, Office 365 trusts Windows Azure AD and if Microsoft Dynamics NAV 2013 R2 trusts Windows Azure AD, we indirectly establish a trust between Microsoft Dynamics NAV 2013 R2 and Office 365 by letting Windows Azure AD provide its trust to Office 365 to Microsoft Dynamics NAV 2013 R2. This is done in the following way:
To start with, we need to get the federation metadata from Windows Azure AD specifically for the given Office 365 subscription. An Office 365 subscription is an Office 365 account, which is sometimes referred to as an Office 365 tenant. We also need to let Windows Azure AD know about the Microsoft Dynamics NAV Web Server address. After providing the right information to Windows Azure AD, it knows enough about the Microsoft Dynamics NAV Web Server, but now Microsoft Dynamics NAV Web Server and Microsoft Dynamics NAV Server need to know about Office 365 and Windows Azure AD.
Microsoft Dynamics 2013 R2 is based on a multi-tier architecture. This architecture consists of an SQL Server, Microsoft Dynamics NAV Server, and the Microsoft Dynamics NAV Web Server. For SSO, we do not have to configure anything special on the SQL Server but we do need to modify both the Microsoft Dynamics NAV Server instance and the Microsoft Dynamics NAV Web Server instance configuration. The Microsoft Dynamics NAV Server must be configured to run in the credential type AccessControlService, and it must also know the URL for Windows Azure AD for retrieving the federation metadata. The Microsoft Dynamics NAV Web Server, which is hosted by Internet Information Services (IIS), must be configured to run in the credential type AccessControlService, and it must also know the path to the Windows Azure AD authentication endpoint. The final configuration setting is that each Office 365 email account has to be mapped to each user in Microsoft Dynamics NAV that is expected to use SSO.
For more details, see the references in the Appendix section.
With Microsoft Dynamics NAV 2013, we introduced the Best Practices Analyzer (BPA) to analyze the configuration of Microsoft Dynamics NAV Server and SQL Server in order to determine whether these components are configured correctly or not. In Microsoft Dynamics NAV 2013 R2, we have extended the BPA to include an analysis of the SSO configuration.
The BPA tool can be used by copying the BPA folder from the Microsoft Dynamics NAV 2013 R2 installation media (DVD) to your computer or by running the tool directly from the DVD. (Note: The DVD must be newer than November 25, 2013 – hotfix number 35727.) To run the BPA tool, we recommend that you copy the files to a local folder (if you do not need to use the Helper files you can run the tool from the DVD), enable Desktop Services, and then choose “Run As Administrator”.
To proceed with the BPA tool, we assume the following:
The BPA tool includes several steps that perform the analysis of your configuration. The following figure shows the Start a new Best Practices scan screen. The new analysis for SSO is enabled by choosing Yes for the “Would you like to verify that the environment is configured for Single Sign-On with Office 365”? option.
The parameters that you can set are described in the following table:
Active Directory Server
This is automatically determined and is optional.
Server Instance Name
This specifies the name of the Microsoft Dynamics NAV Server instance, which can be found under Services on the computer. In the example, the Server Instance Name is “DynamicsNAV71”
It is also specified in the Microsoft Management Console:
Web Server Instance Name
This specifies the name of the web server instance for the Microsoft Dynamics NAV 2013 R2 Web Client, which can be found in Internet Information Service (IIS) Manager.
In the example, the web server instance name is the name of the virtual folder under Microsoft Dynamics NAV 2013 R2 Web Client.
Microsoft Dynamics NAV Tenant
This is only needed in a multitenant environment – the value “default” is the name of the first and only tenant in a single tenant configuration
Office 365 User Account Email
This is the user name for Office 365 (and Windows Azure AD). This looks similar to admin@myO365.onmicrosoft.com.
When you have filled out the parameters, you choose Start scanning. Shortly after, you will get a request for the password for your Office 365 account so that the BPA tool can connect to your Windows Azure AD tenant in order to verify your configuration:
Within half a minute or so, the Scanning Completed message appears.
You then choose View a report of this Best Practices scan. (You can only see List reports if you have not enabled Desktop Services. Otherwise use Tree reports.)
The tool shows a number of errors. If you choose the first error in the list, then more details and some guidance are shown.
If you choose Tell me more about this issue and how to resolve it, then the documentation will open, where you can see even more guidance on what you need to do in order to fix the problems.
You can also see this information in the Tree Reports.
As you can see, this tool can be really helpful when you need to get through the configuration of SSO. You can keep the BPA tool open as you resolve problems, and once you are done, you can choose to scan again to see whether issues are resolved.
As a final check, verify that the SSO actually works. If it is the first time that you sign in, the credentials are needed.
With this extension to the BPA, we hope that you will have an easier time validating that Microsoft Dynamics NAV is correctly set up for single sign-on with Office 365. To get a better understanding, take a look at the references provided in the appendix.
References to videos
How Do I: Enable Single Sign-On with Office 365 in Microsoft Dynamics NAV 2013 R2 is available on MSDN and in the Microsoft Dynamics NAV Community.
More information about Windows Azure Active Directory
Windows Azure Active Directory
Manage Windows Azure AD using Windows PowerShell
More information about Microsoft Dynamics NAV 2013 R2
Authenticate Users with Windows Azure Active Directory
Users and Credential Types
Configuring Microsoft Dynamics NAV Web Client by Modifying the web.config File
How to: Configure User Authentication for the Microsoft Dynamics NAV Web Client
Configuring Microsoft Dynamics NAV Server
How to: Configure the Microsoft Dynamics NAV Web Client for ACS
More information about certificates
Eric Beran, Mike Borg Cardona, Vlad Precup, Steffen Balslev, and John Swymer - Microsoft Dynamics NAV Office 365 team.
Please, where could I find an updated version of the "NavBPA.config.xml" file which comes with the BPA tool?
This is a file located in the "en" folder inside the "BPA" folder in the NAV installation DVD.
None of the released Dynamics NAV 2013 R2 hotfixes contains this file (they only contain updated versions of the BPA .exe and DLLs), so we are stuck with the old version which comes with the installation DVD.
This is a huge problem because, without the XML config file, the BPA tool works just as before, and doesn't show the necessary options to test SSO with Office 365...
Thank you very much in advance!
An updated version of the NavBPA.config.xml file will be included in the next Update Rollup release for Microsoft Dynamics NAV 2013 R2. The update rollups are available from PartnerSource at this location: mbs2.microsoft.com/.../KBDisplay.aspx.
We apologize for the confusion and will announce here on the blog when the next rollup update is available.
the NAV team
i can't find the "NavBPA.config.xml" file in rollup 3.
where could i find the file?
How is it going with this? I am struggling with a SSO setup and need whatever help I can get....
Does anyone know anything about this?
Where can we find the infamous "NavBPA.config.xml" file??