authentication

Probably quite an unusual scenario.. so I’ll explain why it came up!

A retail customer using LS Central wants to use their POS machine for both POS and back office functionality.

The complication is; the POS (Web Client) needs to automatically login with the POS Windows account (the signed in Windows account) but for back office tasks they want the user to log in with their own AD accounts.

The first thing that comes to mind is NavUserPassword for the BO users right? Well, the users are setup in AD so makes sense to use this rather than adding extra overhead of maintaining users/passwords in two places, plus they already have infrastructure in place using Windows auth. UserName auth? Sounds like it should work but again will require additional BC service and as the POS machine is on the domain and we’re using the Web Client it doesn’t really fit the brief:

UserName – With this setting, the user is prompted for username/password credentials when they access Business Central. These credentials are then validated against Windows authentication by Business Central Server. There must already be a corresponding user in Windows. Security certificates are required to protect the passing of credentials across a wide-area network. Typically, this setting should be used when the Business Central Server computer is part of an authenticating Active Directory domain, but the computer where the Dynamics NAV Client connected to Business Central is installed is not part of the domain.


So anyway, to cut a long story short you can disable passthrough Windows authentication in Chromium based web browsers (Chrome and Edge) by emptying the authentication server whitelist. This is done by adding a command line switch: –auth-server-whitelist=”_”

In this case this meant creating a new button called Backoffice in LS Start to open Chrome and adding the –auth-server-whitelist switch to the parameter list along with the BC url.

disable auto logon
Of course, you can also add this command line switch to a Windows shortcut:

auth server whitelist

You’ll notice this will disable passthrough authentication for the open browser window, the problem is if you open another link in Chrome/Edge by default it will open it in the same window. To get around this we’ll need to add another command line switch to force Chrome/Edge to open this link in its own window: –new-window

If you want to learn more about Chromium command line switches, have a browse over here: List of Chromium Command Line Switches « Peter Beverloo

Job done.

The post How-to stop auto-login to Business Central On-prem with Windows Auth appeared first on Dan Kinsella.