ClearSCADA provides you with a Windows User Authentication feature. By using the Windows User Authentication feature, you can associate ClearSCADA user accounts with Microsoft Windows user accounts. When ClearSCADA user accounts are configured to use Windows User Authentication, they are verified against the corresponding Windows User Profile and the ClearSCADA user account and the password, when entered should match that of the Windows User Profile with which the it is associated. When enabled and set up correctly, Windows User Authentication allows you to:
- Disable a ClearSCADA user account by disabling the corresponding Windows user account
- Manage the password of a ClearSCADA user account by managing the corresponding Windows user account.
The main benefit of using Windows User Authentication is that it can reduce the amount of time and effort it takes for IT staff to restrict access via ClearSCADA user accounts. It also means they can manage password related settings through Windows rather than ClearSCADA. However, using Windows Authentication can cause minor delays (milliseconds) with connections and ClearSCADA user account response times.
NOTE: If a user attempts to log on via a ClearSCADA user account that is not configured to use Windows User Authentication, they only need to enter a user name and password that is valid in ClearSCADA.
By default, Windows User Authentication is disabled. If you want to use Windows User Authentication, you need to:
- Display the Server Configuration Tool and log on if required (see Accessing the ClearSCADA Server Configuration Tool in the ClearSCADA Guide to Server Administration).
- Expand the System Configuration branch.
- Select the Security entry.
- Enable Windows User Authentication by selecting the Enabled check box in the Windows User Authentication section.
When you enable the Windows User Authentication feature, the user accounts in ClearSCADA can be associated with corresponding user profiles in Microsoft Windows (you specify this per user account). This association means that you can disable ClearSCADA users by disabling Windows users. You can also use Windows to manage the passwords of ClearSCADA users.
- In the Windows Domain Name field, enter the name of the Windows Server Domain that stores your Windows User Profiles and passwords. This is the domain to which ClearSCADA will connect when verifying the log on details against the Windows User Profiles. For this reason, the ClearSCADA server needs a valid network connection to the domain.
- Leave the default setting of 150 seconds in place in the Cached Password Expiry field. You only need to adjust this setting if there are delays when logging on to your system (see Changing the Cache Password Expiry for Windows User Authentication).
- By default, the Windows User Authentication feature requires that the Windows user accounts have the same names as the ClearSCADA user accounts.
- Clear the Windows user login enabled check box if your Windows user accounts have exactly the same names as corresponding ClearSCADA user accounts.
For example:
If you already have an existing system in place and want to start using Windows User Authentication, you need to either rename the Windows user profiles so that they match the names of the corresponding ClearSCADA user accounts, or rename the ClearSCADA user accounts to match the names of the corresponding Windows user profiles.
- Select the Windows user login enabled check box, if you have Windows user accounts that do not adhere to the ClearSCADAnaming convention and want users to be able to log in to ClearSCADA using those Windows user accounts.
For example:
With those ClearSCADA user accounts that are set to use the Windows Authentication feature to access ClearSCADA via a ViewX, WebXor third-party client, you can associate a Windows user account name that does not adhere to the ClearSCADA naming convention with ClearSCADA User accounts. (You need to set the association with a Windows user account on a per ClearSCADA user account basis, see Define whether a User is Associated with a Windows User Profile.)
- Clear the Windows user login enabled check box if your Windows user accounts have exactly the same names as corresponding ClearSCADA user accounts.
- Apply the changes to the server.
- To manage ClearSCADA user accounts in Windows, you need to configure the ClearSCADA user accounts to use the Authenticate via Windows feature. For more information, see Define whether a User is Associated with a Windows User Profile.
- Chose the Authentication Method. There are three Authentication Methods available:
- LogonUser—For systems where the ClearSCADA server authenticates log on details with a Windows server. The ClearSCADA server and Windows authentication server have to be on the same network domain or the server has to be in a trusted domain of the Windows Domain. (The Windows Domain as defined in the Windows Domain Name field, above).
With LogonUser, Windows caches the log on details. As a result, the logging on process can be quicker than with LDAP and LDAP SSL authentication methods.
- LDAP—The Lightweight Directory Access Protocol (LDAP) authentication method allows ClearSCADA to authenticate log on details with any server that supports LDAP. This means that servers using non-Windows operating systems, such as LinuX, can be used for authentication.
With LDAP, the authentication server can be on a different network domain to the ClearSCADA server. When log on takes place, the password is encrypted for transmission, but the user name is not.
- LDAP SSL—LDAP SSL is a more secure version of LDAP, as it encrypts both the user name and password details. However, LDAP SSL requires the authentication server to have a valid LDAP SSL certificate.
If you have chosen LDAP or LDAP SSL as the Authentication Method, you need to define the LDAP Port. This is the number of the port that is used by the LDAP authentication server to communicate with the ClearSCADA server.
By default, ClearSCADA uses the standard LDAP port, which is often appropriate for many systems. However, you can change the LDAP port if required.
If you are unsure which port is being used, please contact your IT department or the administrators responsible for configuring the authentication server. They will have specified a port when they set up the authentication server.
- LogonUser—For systems where the ClearSCADA server authenticates log on details with a Windows server. The ClearSCADA server and Windows authentication server have to be on the same network domain or the server has to be in a trusted domain of the Windows Domain. (The Windows Domain as defined in the Windows Domain Name field, above).
- Apply the changes to the server.
- To manage ClearSCADA user accounts in Windows, you need to configure the ClearSCADA user accounts to use the Authenticate via Windows feature. For more information, see Define whether a User is Associated with a Windows User Profile.