The Cached Password Expiry setting is designed to help you avoid slight delays when logging on. The delays may occur when using External Authentication as the log on details in ClearSCADA have to be compared to the corresponding Windows or LDAP User Profile. This verification requires ClearSCADA to communicate with the Windows server or LDAP (Lightweight Directory Access Protocol) server (an LDAP server is also called a 'Directory System Agent' (DSA)). Depending on the speed of your network connections and the PCs being used, this can cause a short delay as ClearSCADA has to negotiate encryption and the Windows/LDAP server has to check whether the user details and password match those of the corresponding User Profile in Windows/LDAP. Typically, such delays are a matter of milliseconds.
With External Authentication, every connection from a client (such as ViewX) to ClearSCADA has to be verified with the Windows/LDAP server. Communicating with the Windows/LDAP Server for every connection can introduce unnecessary delays, so to avoid these delays, ClearSCADA uses a cache.
Any changes that are made to a user account are only applied within ClearSCADA after the Cached Password Expiry time has elapsed.
For added security, the verified user details and password are only stored in the cache for a set amount of time, defined by the Cached Password Expiry setting. If ClearSCADA only used the cached details until the user logged off, any changes to the user account would not be applied until the user logged off. For example, if an IT administrator wanted to disable a user account through Windows/LDAP, and that user was already logged on, the account would not be disabled until the user logged off. The Cached Password Expiry feature means ClearSCADA can avoid this situation by clearing the cache at regular intervals.
By default, the Cached Password Expiry is 150 seconds. You may have to increase this amount if you are experiencing small delays when logging on or displaying Mimics, Lists, and so on. However, if you do increase the Cache Password Expiry time, be aware that any changes to user accounts will not take effect until after the expiry time has elapsed.
If the user account changes you make in Windows/LDAP are taking too long to be applied to the corresponding ClearSCADA user accounts, you may need to reduce the Cache Password Expiry time.
To change the Cache Password Expiry time:
- Display the Server Configuration Tool and log on if required.
- Expand the System Configuration branch.
- Select the External Authentication entry.
- In the Cached Password Expiry field, enter the required number of seconds. The default amount is 150.
- You can extend the Cached Password Expiry time if the connection to the Windows/LDAP server fails. To do this, enter a value in the Connection Failure Cached Password Expiry field that is at least as much as the Cached Password Expiry value. For example, if the Cached Password Expiry value is 150 seconds, enter a value of 150 seconds or higher. To disable this feature, enter a value of 0 seconds in the Connection Failure Cached Password Expiry field. The default value is 0 seconds. (If the feature is disabled, users will only be able to log on to ClearSCADA via ViewX or WebX when ClearSCADA is able to establish a valid connection to the Windows/LDAP server and establish that the user's credentials are valid.)
- Apply the changes to the server.
Further Information