Open topic with navigation

Change the Cached Password Expiry Associated with External Authentication

The Cached Password Expiry setting is designed to help you avoid slight delays when logging on. The delays may occur when using External Authentication as the log on details in Geo SCADA Expert have to be compared to the corresponding Windows or LDAP User Profile. This verification requires Geo SCADA Expert to communicate with the Windows server or LDAP (Lightweight Directory Access Protocol) server (an LDAP server is also called a 'Directory System Agent' (DSA)). Depending on the speed of your network connections and the PCs being used, this can cause a short delay as Geo SCADA Expert has to negotiate encryption and the Windows/LDAP server has to check whether the user details and password match those of the corresponding User Profile in Windows/LDAP. Typically, such delays are a matter of milliseconds.

With External Authentication, every connection from a client (such as ViewX) to Geo SCADA Expert has to be verified with the Windows/LDAP server. Communicating with the Windows/LDAP Server for every connection can introduce unnecessary delays, so to avoid these delays, Geo SCADA Expert uses a cache.

Any changes that are made to a user account are only applied within Geo SCADA Expert after the Cached Password Expiry time has elapsed.

For added security, the verified user details and password are only stored in the cache for a set amount of time, defined by the Cached Password Expiry setting. If Geo SCADA Expert only used the cached details until the user logged off, any changes to the user account would not be applied until the user logged off. For example, if an IT administrator wanted to disable a user account through Windows/LDAP, and that user was already logged on, the account would not be disabled until the user logged off. The Cached Password Expiry feature means Geo SCADA Expert can avoid this situation by clearing the cache at regular intervals.

By default, the Cached Password Expiry is 150 seconds. You may have to increase this amount if you are experiencing small delays when logging on or displaying Mimics, Lists, and so on. However, if you do increase the Cache Password Expiry time, be aware that any changes to user accounts will not take effect until after the expiry time has elapsed.

If the user account changes you make in Windows/LDAP are taking too long to be applied to the corresponding Geo SCADA Expert user accounts, you may need to reduce the Cache Password Expiry time.

To change the Cache Password Expiry time:

  1. Access the Geo SCADA Expert Server Configuration Tool.
  2. Expand the System Configuration branch.
  3. Select the External Authentication entry.
  4. In the Cached Password Expiry field, enter the required number of seconds. The default amount is 150.

  5. You can configure the server to extend the Cached Password Expiry time if the connection to the Windows/LDAP server fails. To do this, enter a value in the Connection Failure Cached Password Expiry field that is at least as much as the Cached Password Expiry value. For example, if the Cached Password Expiry value is 150 seconds, enter a value of 150 seconds or higher. To disable this feature, enter a value of 0 seconds in the Connection Failure Cached Password Expiry field. The default value is 0 seconds. (If the feature is disabled, users will only be able to log on to Geo SCADA Expert via ViewX or Virtual ViewX when Geo SCADA Expert is able to establish a valid connection to the Windows/LDAP server and establish that the user's credentials are valid.)

    If the Cached Password Expiry time expires and the LDAP server cannot be contacted, then the Connection Failure Cached Password Expiry time is used.

     

    Assume the following scenario:

    • The Cached Password Expiry time is set to 150 seconds.
    • The Connection Failure Cached Password Expiry time is set to 300 seconds.
    • The user logged on 200 seconds ago.
    • A new client connection has been made that requires authentication.
    • The LDAP server cannot be contacted.

    The Cached Password Expiry time has expired so a connection is attempted to the LDAP server, but this connection fails. The user's credentials remain in the cache and are used for another 100 seconds until the Connection Failure Cached Password Expiry time (300 seconds) has expired. At that point authentication with the LDAP server is required and further logon attempts for new connections by that user will fail if the server continues to be unreachable.

  6. Apply the changes to the server.

Further Information

Configuring Security and Connection Settings for Original WebX Clients.

Disclaimer

Geo SCADA Expert 2022

© 2022 AVEVA Group Plc.  All Rights Reserved.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. Schneider Electric, Life is On Schneider Electric and EcoStruxure are trademarks and the property of Schneider Electric SE and are being licensed to AVEVA by Schneider Electric.