Provisioning the Business Central Server Service Account

The Business Central Server account is used by Business Central clients to log on to the Business Central Server instance. The Business Central Server then uses the service account to log on to the Business Central database. When you install Business Central Server, you identify an Active Directory account to provide credentials for the server. By default, Setup runs Business Central Server under the Network Service account, a predefined local account used by the service control manager. This account has minimum privileges on the local computer and acts as the computer on the network.

Domain user account versus Network Service account

We recommend that you create a domain user account for running Business Central Server. The Network Service account is considered less secure because it is a shared account that can be used by other unrelated network services. Any users who have rights to this account have rights to all services that are running on this account. If you create a domain user account to run Business Central Server, you can use the same account to run SQL Server, whether or not SQL Server is on the same computer.

There is no specific action required for provisioning the Network Service account. The only recommendation is to verify that the account has the necessary database privileges in SQL Server as described in the Giving the service account database privileges in SQL Server section.

Provisioning a domain user account

If you are running the Business Central Server under a domain user account, you must:

  • Enable the account to log in as a service

  • Enable the account to register an SPN on itself

  • Add the account to the SMSvcHost.exe.config file

  • Give the account necessary database privileges in SQL Server

Prerequisite

Delete the Dynamics 365 Business Central folder in the ProgramData folder of your system drive, for example, C:\ProgramData\Microsoft\Microsoft Dynamics 365 Business Central.

The ProgramData is folder is typically hidden, so you might have to change the folder options for your system drive to show hidden files, folders, and drives.

Enabling the account to log on as a service

Depending on various factors, the account may already have this ability to log in as a service. For example, if you have already installed SQL Server and configured it to run under the same account, SQL Server will have modified the account to log in as a service. When this permission is lacking, Business Central Server instances may not be able to start.

You enable log on as a service using the Local Security Policy console on the computer running SQL server.

  1. To open the Local Security Policy console, do one of the following steps:

    • In the search box on the Start screen, type secpol.msc, and then select Enter.
    • From Server Manger or Control panel, open Administrative Tools
  2. Expand Local Policy and select User Rights Assignment

  3. Right-click Log on as a service and select Properties.

  4. Select Add User or Group, then locate and add the user account that you're using as the Business Central service account.

For more information, see Configure security policy settings.

Enabling the account to register an SPN on itself

To enable secure mutual authentication between clients and Business Central Server, you must configure the Business Central Server account to self-register Service Principal Names (SPNs). Mutual authentication is recommended in a production environment but may not be necessary in a testing or staging environment. This is done by modifying the account in Active Directory.

For more information, see Service Principal Names in the Active Directory documentation.

Add the account to the SMSvcHost.exe.config file

Business Central uses Net.TCP Port Sharing Service, which is managed by SMSvcHost.exe. The SMSvcHost.exe.config contains information about the identities (or accounts) that can use the service. These accounts are specified as security identifiers (SIDs) in the <allowAccounts> section of the SMSvcHost.exe.config file. By default, permission is implicitly granted to system accounts, such as NetworkService. For other accounts, you must explicitly add the SID for the account to the SMSvcHost.exe.config file as follows:

  1. Get the SID of the user account.

    The SID is an alphanumeric character string, such as S-1-5-20 or S-1-5-32-544. There are different ways to get the SID, such using Windows Management Instrumentation Control Command-line (WMIC) or the computer's registry.

    • To use WMIC, open a command prompt, and run the following command:

       wmic useraccount get name,sid
      

      This will display a list of user accounts and their SIDs.

    • To use the registry, run regedit, and then go to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList folder. This folder list the SIDs for each user account. To find the SID that corresponds to the user account that you want, look at the ProfileImagePath key data.

  2. Using a text editor, open the SMSvcHost.exe.config file.

    You will find the SMSvcHost.exe.config file in the installation folder for the latest :NET Framework version on the Business Central Server computer; for example, C:\Windows\Microsoft.NET\Framework64\v4.0.30319.

  3. Add the SID to the <allowAccounts> element as follows, and then save the file:

    <system.serviceModel.activation>
        <net.tcp listenBacklog="10" maxPendingConnections="100" maxPendingAccepts="2" receiveTimeout="00:00:10" teredoEnabled="false">
            <allowAccounts>
                <!-- Your Business Central Server account -->
                <add securityIdentifier="N-N-N-N"/>
            </allowAccounts>
        </net.tcp>
    

For more information about SMSvcHost.exe and the SMSvcHost.exe.config file, see Configuring the Net.TCP Port Sharing Service.

There is not action required for provisioning the Network Service account. The only recommendation is to verify that the account has the necessary database privileges in SQL Server as described in the next section.

Giving the service account database privileges in SQL Server

The Business Central Server service account must have specific roles and permissions in SQL Server to access a Business Central database. The roles and permissions are applied on the server-level and database-level, as outlined in the following table and explained in detail in the sections that follow:

Level Roles and permissions
Server-level Login:
dbcreator role

On master database:
Select permission on the dbo.$ndo$srvproperty table
Database-level db_datareader, db_datawriter, and db_ddladmin roles
View change tracking permission on the database schema

When you install the Business Central database by using Business Central Setup or the New-NAVDatabase cmdlet, you can specify the Business Central Server account. In these cases, the server account that you specify will be given privileges in SQL Server. However, we recommend that you use the guidelines in this section to ensure that the service account has the minimum required privileges.

To verify server-level and database-level privileges on SQL Server after you create your Business Central database, use SQL Server Management Studio and, if necessary, modify privileges. If you do not already have it, you can download and install SQL Server Management Studio from here.

Assign privileges on the server-level

On the server-level, the service account must be set up with a login that has the following roles and permissions:

  • dbcreator server role

    This privilege is only required for database creation. Consider removing it from the service account once the system has been set up. Or run the setup operations of the Business Central database with a service account that has this extended privilege.

  • On the master database, the service account must have the following permissions:

    • Select permission on the dbo.$ndo$srvproperty table of the database

To assign privileges on the server-level, complete the following tasks in SQL Server Management Studio:

  1. Start SQL Server Management Studio and connect to the instance where the Business Central database is installed.

  2. Create a login for the Business Central Server account:

    1. Navigate the tree view: Security, Logins.
    2. Right-click Logins and select New Login.
    3. Choose Search and use the Select User or Group dialog box to identify the Business Central Server account.
    4. Choose OK to exit the New Login dialog box.
  3. Grant the login the server-level role dbcreator:

    1. Navigate the tree view: Security, Logins.
    2. Right-click the Business Central Server account, and then choose Properties.
    3. Click on Server Roles.
    4. Check the dbcreator box.
    5. Choose OK.
  4. Add the login as a user on the master database:

    1. Navigate the tree view: Databases, System Databases, master, Security, Users.
    2. Right-click Users and choose New User.
    3. Choose the ellipse button at the far right of the second line in the Database User – New dialog box.
    4. In the Select Login dialog box, enter or browse for the login you created for the Business Central Server account.
    5. Enter a name in the User name field (the first line in the Database User - New dialog box).
    6. Choose OK to exit the Database User - New dialog box.
  5. Grant Select permission to Business Central Server login on the dbo.$ndo$srvproperty table.

    1. Navigate the tree view: Databases, System Databases, master, Tables, System Tables.
    2. Right-click the dbo.$ndo$srvproperty table and choose Properties.
    3. Under Select a Page, choose Permissions.
    4. Choose Search and use the Select User or Group dialog box to identify the login for the Business Central Server account.
    5. Under Permissions for <username>, on the Explicit tab, scroll down to down to the Select line, and select the check box in the Grant column.
    6. Choose OK to exit the Table Properties – dbo.$ndo$srvproperty dialog box.

Assign privileges on the Business Central database-level

On the Business Central database, the service account must have the following roles and permissions:

  • db_datareader, db_datawriter, and db_ddladmin database roles
  • View change tracking permission on the database schema (dbo)

You can set permissions directly on the database user that you set up for service account. However, we recommend that you create a role that includes the permissions, and then assign the user to the role.

To set up these permissions, complete the following steps:

  1. Add the login as a user on the database and assign database roles

    1. Navigate the tree view: Databases, <your Business Central database>, Security, Users.
    2. Right-click Users and choose New User.
    3. In the Database User – New dialog box, choose the ellipse button at the far right of the second line.
    4. Choose the login you created for the Business Central Server account name, and then choose OK.
  2. Create a database role for the runtime permissions on the database:

    1. In the tree view, under the database, navigate to Security, Roles.

    2. Right-click Database Roles and choose New Database Role.

    3. Choose the General page, and then:

      1. Enter a role name, such as BCServer_runtime.
      2. Under Schemas owned by the role, select db_datareader, db_datawriter, and db_ddladmin.
      3. Under Members of this role, choose Add, then browse for and select the server account user.
    4. Choose the Securables page, and then:

      1. Choose Search.
      2. Choose All objects of the types..., and then OK.
      3. Select Schemas, and then OK.
      4. Under Securables, select the dbo schema.
      5. Under Permissions for dbo, select Grant for the View change tracking permission.
      6. Choose OK to finish.

Sample SQL queries

Instead of manually completing the previous steps, you can use the following SQL queries, which you can execute separately or combine and run as one.

Server-level query

USE [master]  
GO

CREATE LOGIN [domain\accountname] FROM WINDOWS   
CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]   
GRANT SELECT ON [master].[dbo].[$ndo$srvproperty] TO [domain\accountname]  
ALTER SERVER ROLE [dbcreator] ADD MEMBER [domain\accountname]
GO 

Database-level query

USE [Business Central Database]  
GO

CREATE ROLE bc_server_runtime
ALTER ROLE db_datareader ADD MEMBER bc_server_runtime
ALTER ROLE db_datawriter ADD MEMBER bc_server_runtime
ALTER ROLE db_ddladmin ADD MEMBER bc_server_runtime
GRANT VIEW CHANGE TRACKING on schema::[dbo] TO  bc_server_runtime
GRANT VIEW DATABASE STATE TO bc_server_runtime
GRANT ALTER ON DATABASE::[Business Central Database] TO bc_server_runtime
GO

CREATE USER [domain\accountname] FOR LOGIN [domain\accountname]  
GO

ALTER ROLE bc_server_runtime ADD MEMBER [domain\accountname] 
GO

Creating Databases
Configuring Business Central Server