Open topic with navigation

Using External Authentication with Geo SCADA Expert

Geo SCADA Expert provides you with an External Authentication feature. By using the External Authentication feature, you can associate Geo SCADA Expert user accounts with Microsoft Windows or LDAP (Lightweight Directory Access Protocol) user accounts. When Geo SCADA Expert user accounts are configured to use External Authentication, they are verified against the corresponding Windows or LDAP User Profile. Each Geo SCADA Expert user account and password, when entered, should match that of the Windows or LDAP User Profile with which the credentials are associated. When enabled and set up, External Authentication enables you to:

The main benefit of using External Authentication is that it can reduce the amount of time and effort it takes for IT staff to restrict access via Geo SCADA Expert user accounts. It also means they can manage password related settings through Windows/LDAP rather than Geo SCADA Expert. However, using External Authentication can cause minor delays (milliseconds) with connections and Geo SCADA Expert user account response times.

If a user attempts to log on via a Geo SCADA Expert user account that is not configured to use External Authentication, they only need to enter a user name and password that is valid in Geo SCADA Expert.

By default, External Authentication is disabled. If you want to use External Authentication, you have to:

  1. Access the Geo SCADA Expert Server Configuration Tool.
  2. Expand the System Configuration branch.
  3. Select the External Authentication entry to display the External Authentication section.
  4. Enable External Authentication by selecting the Enabled check box.

    When you enable the External Authentication feature, the user accounts in Geo SCADA Expert can be associated with corresponding user profiles in Microsoft Windows/LDAP (you specify this per user account (see Define whether a User is Associated with a Windows or LDAP User Profile)). This association means that you can disable Geo SCADA Expert users by disabling Windows/LDAP users. You can also use Windows/LDAP to manage the passwords of Geo SCADA Expert users.

  5. Choose the required Authentication Method:
    • LogonUser—For systems where the Geo SCADA Expert server authenticates log on details with a Windows server. The Geo SCADA Expert server and Windows authentication server have to be on the same network domain, or the server has to be in a trusted domain of the Windows Domain. (The Windows Domain is defined in the Windows Domain Name/LDAP Server field, below).

      With the LogonUser option, Windows caches the log on details. As a result, the logging on process can be quicker than with LDAP and LDAP SSL authentication methods.

    • LDAP—The LDAP (Lightweight Directory Access Protocol) authentication method allows Geo SCADA Expert to authenticate log on details with any server that supports LDAP. This means that servers using non-Windows operating systems, such as Linux, can be used for authentication.

      With LDAP, the authentication server can be on a different network domain to the Geo SCADA Expert server. When logon takes place, the password is encrypted for transmission, but the user name is not.

      If you choose LDAP as the Authentication Method, you need to define the LDAP Port (see below).

    • LDAP SSL—LDAP SSL is a more secure version of LDAP, as it encrypts both the user name and password details. However, LDAP SSL requires the authentication server to have a valid LDAP SSL certificate.

      If you choose LDAP SSL as the Authentication Method, you need to define the LDAP Port (see below).

  6. If the Authentication Method is set to LogonUser, you need to specify the required Logon Type. The Logon Type defines the access rights that users require in Active Directory and on the Geo SCADA Expert server, in order for their User accounts to be able to use the External Authentication feature in Geo SCADA Expert. The option you require depends on the permissions that are defined in Active Directory and on the Geo SCADA Expert server itself. Choose from:
    • Interactive—Select this option if the users are permitted to perform interactive logons on the Geo SCADA Expert server. This is the less secure option, as it is generally considered good security practice to prevent users from performing interactive logons where possible.
    • Batch—Select this option if users are not permitted to perform interactive logons on the Geo SCADA Expert server. This option requires users to be permitted to perform 'batch' logons (referred to as 'Batch Job' in the Group Policy Management in Windows). This is considered the more secure option, as users require reduced access rights on the Geo SCADA Expert server.
  7. In the Windows Domain Name/LDAP Server field, enter the name of the 'domain controller' (the Windows server that stores your Windows User Profiles and passwords). This is the domain to which Geo SCADA Expert will connect when verifying the log on details against the Windows User Profiles. For this reason, the Geo SCADA Expert server needs a valid network connection to the domain. The External Authentication feature can only authenticate Active Directory user accounts in trusted Windows domains.

    If you have chosen LDAP or LDAP SSL as the Authentication Method, enter the name of the LDAP server (also called a 'Directory System Agent' (DSA)) that stores the User names and passwords. This is the LDAP server to which Geo SCADA Expert will connect when verifying the log on details against the LDAP User Profiles. For this reason, the Geo SCADA Expert server needs a valid network connection to that LDAP server.

    If Geo SCADA Expert is unable to connect to the Windows/LDAP server when it attempts to verify a user's credentials, that user will still be able to log on to Geo SCADA Expert providing that they:

    • Log on within the Cached Password Expiry time (see below)
    • Enter the username and password of a valid user account that exists (and is enabled) in the Geo SCADA Expert database.
  8. If you have chosen LDAP or LDAP SSL as the Authentication Method, you need to define the LDAP Port. This is the number of the port that is used by the LDAP authentication server to communicate with the Geo SCADA Expert server.

    By default, Geo SCADA Expert uses the standard LDAP port, which is often appropriate for many systems. However, you can change the LDAP port if required.

    If you are unsure which port is being used, please contact your IT department or the administrators responsible for configuring the authentication server. They will have specified a port when they set up the authentication server.

  9. Leave the default setting of 150 seconds in place in the Cached Password Expiry field. You only need to adjust this setting if there are delays when logging on to your system (see Change the Cached Password Expiry Associated with External Authentication).
  10. By default, a user can only log on to Geo SCADA Expert using a valid Geo SCADA Expert user account. When used in conjunction with External Authentication, the Windows or LDAP user account that is associated with the Geo SCADA Expert user account will be used for the authentication process.
    • Clear the Allow Login to Geo SCADA Expert with Windows/LDAP User Names check box to retain the default settings. Users will only be able to log on to Geo SCADA Expert with valid Geo SCADA Expert user accounts.

      If the Use External Authentication option is selected on the User Form in Geo SCADA Expert, the External Authentication feature will be used and the user will be authenticated using Active Directory/LDAP and their Geo SCADA Expert username and password. If a Windows/LDAP username is configured for the user account, then that will be used instead of their Geo SCADA Expert username for the external authentication.

      (If a user attempts to log onto Geo SCADA Expert using their Windows/LDAP username and this differs from the corresponding Geo SCADA Expert username, the logon attempt will fail.)

    • Select the Allow Login to Geo SCADA Expert with Windows/LDAP User Names check box to enable users to log on to Geo SCADA Expert using the Windows/LDAP username that is associated with their Geo SCADA Expert user account. This option is useful if, for example, you want users to be able to log on to Geo SCADA Expert using their more familiar Windows/LDAP user accounts, but the usernames used for those accounts include characters that are invalid in Geo SCADA Expert usernames (see Naming Restrictions). With this option selected, users will be able to log on to Geo SCADA Expert using those Windows/LDAP usernames as an alternative to logging on via their Geo SCADA Expert usernames.

      (If the Windows/LDAP usernames are identical to the corresponding Geo SCADA Expert usernames, this option will have no effect.)

      Regardless of the setting of this check box, for those user accounts that are to use External Authentication, Windows/LDAP usernames have to be configured on a per Geo SCADA Expert user account basis if the usernames of those accounts differ to the corresponding Geo SCADA Expert usernames (see Define whether a User is Associated with a Windows or LDAP User Profile). (For example, if the Windows/LDAP user accounts use a different naming convention that includes characters that are not supported for Geo SCADA Expert usernames (see Naming Restrictions).)

  11. Select the Create Users Automatically from Group Membership check box if system administrators are to manage Geo SCADA Expert user accounts centrally in Active Directory/LDAP. If a new user attempts to log on to Geo SCADA Expert via ViewX or Virtual ViewX, Geo SCADA Expert will attempt to locate a Windows domain (Active Directory) user or LDAP user with the user credentials that have been entered. If such a user exists in Active Directory/LDAP but not in Geo SCADA Expert, a new user account will be added to Geo SCADA Expert automatically, to correspond with the Active Directory/LDAP user account. The use of User Pattern and other related configuration is required in Geo SCADA Expert to enable such integration - see Integrate Geo SCADA Expert User Accounts with Active Directory or LDAP User Accounts.

    Clear the check box if Geo SCADA Expert is to use other aspects of External Authentication, but system administrators are to create user accounts in Geo SCADA Expert manually, rather than integrate the creation of such accounts with Active Directory/LDAP.

  12. If you have selected the Allow login to Geo SCADA Expert with Windows/LDAP user names check box, enter the Database username prefix for automatically created users.This prefix will be added to the start of the names of any Geo SCADA Expert user accounts that are automatically created in the database as part of the External Authentication feature. This enables Geo SCADA Expert user accounts to be created for users with Windows/LDAP user accounts that purely comprise numerical digits. (By design, the names of Geo SCADA Expert User Accounts cannot comprise only numerical digits.)

     

    A Geo SCADA Expert system is set up to use External Authentication. As part of this feature, Geo SCADA Expert is configured to Allow login to Geo SCADA Expert with Windows/LDAP user names and Create users automatically from group membership.

    The value of the Database username prefix for automatically created users field is specified as: AB. A user logs on with username 123456. This triggers Geo SCADA Expert to automatically create a User Account named AB123456 in the database.

    In the case of the above username, if the username prefix was not configured then the login would fail because the name of a Geo SCADA Expert User Account cannot contain only numerical digits. The Windows/LDAP User Name field for the AB123456 User Account is set to 123456 so that the user can log on without using the prefix themselves.

  13. If you have chosen LDAP or LDAP SSL as the Authentication Method, enter the LDAP user base search path. This is the Distinguished Name (DN) for the entry containing the users. With LDAP, the full Distinguished Name takes the form of a series of CN (Common Name), OU (Organizational Unit), and DC (Domain Component) entries.

    The user can be found in any part of the tree starting at this object. For example, specifying CN=Users,DC=dc,DC=example,DC=com would allow users to be found in CN=Site1,CN=Users,DC=dc,DC=example,DC=com.

    If an invalid path is entered then it will prevent externally authenticated users from logging on.

    Note that this path is only required for group membership lookup, and not for authentication. If a user is authenticated and cannot be found in the entered path then they will appear to have no group memberships.

  14. If you have chosen LDAP or LDAP SSL as the Authentication Method, enter the LDAP group base search path. This is the Distinguished Name (DN) for an entry containing groups. As with the LDAP user based search path, the groups can be in any part of the tree starting at this object. Only groups found within this path will be used for matching against groups in Geo SCADA Expert.

     

    If you have the following tree:

    • Users
      • User1 (member of: Development.Group1, Development.Group2, Test.Group1)
    • Development
      • Group1
      • Group2
      • Group3
    • Test
      • Group1 (member of: Development.Group3)

    If you specify Development as the group search base then the groups returned for User1 will be Development.Group1 and Development.Group2.

    As User1 is a member of Test.Group1, Geo SCADA Expert will discard that user entry and will not follow that membership chain further. As such Development.Group3 will not be discovered, even though it is in the correct part of the tree, as finding it would require Geo SCADA Expert to run a query on an object outside of the designated part of the tree. 

  15. If the Authentication method is set to 'LDAP' or 'LDAP SSL', use the LDAP protocol version field to set the protocol version. The LDAP protocol version field controls the version of the LDAP protocol to use when authenticating users with an LDAP server. The default LDAP protocol version is 3.

    If you are using an older version of LDAP server software that does not support LDAP protocol version 3, then select version 2.

  16. Apply the changes to the server.
  17. To authenticate Geo SCADA Expert user accounts against those in Windows/LDAP, you need to configure the Geo SCADA Expert user accounts to use the Use External Authentication feature. For more information, see Define whether a User is Associated with a Windows or LDAP User Profile. You can also associate Geo SCADA Expert User Groups with Windows domain groups or LDAP user groups. If you do this, Geo SCADA Expert checks the user's group membership against that in Windows/LDAP whenever the user logs on to Geo SCADA Expert, and automatically updates their Geo SCADA Expert User Group membership accordingly. For more information, see Associate a Geo SCADA Expert User Group with a Windows Domain Group or LDAP User Group.

    If you opted to Create Users Automatically from Group Membership, you also need to set up suitable User Patterns and other related configuration to enable Geo SCADA Expert user accounts to be created and maintained centrally using Active Directory/LDAP user profiles (see Provide Settings for Automatic User Creation, and see Create User Accounts from a User Pattern).

When you have enabled the External Authentication feature and defined the required settings, the External Authentication process is ready to use. The feature is applied to every Geo SCADA Expert user account that is configured to use External Authentication.

Further Information

Configuring Security and Connection Settings for Original WebX Clients.

Disclaimer

Geo SCADA Expert 2022

© 2022 AVEVA Group Plc.  All Rights Reserved.

The Schneider Electric industrial software business and AVEVA have merged to trade as AVEVA Group plc, a UK listed company. Schneider Electric, Life is On Schneider Electric and EcoStruxure are trademarks and the property of Schneider Electric SE and are being licensed to AVEVA by Schneider Electric.