Using External Authentication with ClearSCADA

ClearSCADA provides you with an External Authentication feature. By using the External Authentication feature, you can associate ClearSCADA user accounts with Microsoft Windows or LDAP (Lightweight Directory Access Protocol) user accounts. When ClearSCADA user accounts are configured to use External Authentication, they are verified against the corresponding Windows or LDAP User Profile. Each ClearSCADA user account and password, when entered, should match that of the Windows or LDAP User Profile with which the credentials are associated. When enabled and set up, External Authentication enables you to:

The main benefit of using External Authentication is that it can reduce the amount of time and effort it takes for IT staff to restrict access via ClearSCADA user accounts. It also means they can manage password related settings through Windows/LDAP rather than ClearSCADA. However, using External Authentication can cause minor delays (milliseconds) with connections and ClearSCADA user account response times.

The External Authentication feature is only supported on ViewX clients that use a Secure Connection to communicate with the server (see Define Whether the ViewX Client Uses a Secure Connection).

If a user attempts to log on via a ClearSCADA user account that is not configured to use External Authentication, they only need to enter a user name and password that is valid in ClearSCADA.

By default, External Authentication is disabled. If you want to use External Authentication, you have to:

  1. Display the Server Configuration Tool and log on if required.
  2. Expand the System Configuration branch.
  3. Select the External Authentication entry to display the External Authentication section.
  4. Enable External Authentication by selecting the Enabled check box.

    When you enable the External Authentication feature, the user accounts in ClearSCADA can be associated with corresponding user profiles in Microsoft Windows/LDAP (you specify this per user account (see Define whether a User is Associated with a Windows or LDAP User Profile)). This association means that you can disable ClearSCADA users by disabling Windows/LDAP users. You can also use Windows/LDAP to manage the passwords of ClearSCADA users.

  5. Choose the required Authentication Method:
    • LogonUser—For systems where the ClearSCADA server authenticates log on details with a Windows server. The ClearSCADA server and Windows authentication server have to be on the same network domain, or the server has to be in a trusted domain of the Windows Domain. (The Windows Domain is defined in the Windows Domain Name/LDAP Server field, below).

      With the LogonUser option, Windows caches the log on details. As a result, the logging on process can be quicker than with LDAP and LDAP SSL authentication methods.

    • LDAP—The LDAP (Lightweight Directory Access Protocol) authentication method allows ClearSCADA to authenticate log on details with any server that supports LDAP. This means that servers using non-Windows operating systems, such as Linux, can be used for authentication.

      With LDAP, the authentication server can be on a different network domain to the ClearSCADA server. When logon takes place, the password is encrypted for transmission, but the user name is not.

      If you choose LDAP as the Authentication Method, you need to define the LDAP Port (see below).

    • LDAP SSL—LDAP SSL is a more secure version of LDAP, as it encrypts both the user name and password details. However, LDAP SSL requires the authentication server to have a valid LDAP SSL certificate.

      If you choose LDAP SSL as the Authentication Method, you need to define the LDAP Port (see below).

  6. If the Authentication Method is set to LogonUser, you need to specify the required Logon Type. The Logon Type defines the access rights that users require in Active Directory and on the ClearSCADA server, in order for their User accounts to be able to use the External Authentication feature in ClearSCADA. The option you require depends on the permissions that are defined in Active Directory and on the ClearSCADA server itself. Choose from:
    • Interactive—Select this option if the users are permitted to perform interactive logons on the ClearSCADA server. This is the less secure option, as it is generally considered good security practice to prevent users from performing interactive logons where possible.
    • Batch—Select this option if users are not permitted to perform interactive logons on the ClearSCADA server. This option requires users to be permitted to perform 'batch' logons (referred to as 'Batch Job' in the Group Policy Management in Windows). This is considered the more secure option, as users require reduced access rights on the ClearSCADA server.
  7. In the Windows Domain Name/LDAP Server field, enter the name of the 'domain controller' (the Windows server that stores your Windows User Profiles and passwords). This is the domain to which ClearSCADA will connect when verifying the log on details against the Windows User Profiles. For this reason, the ClearSCADA server needs a valid network connection to the domain. The External Authentication feature can only authenticate Active Directory user accounts in trusted Windows domains.

    If you have chosen LDAP or LDAP SSL as the Authentication Method, enter the name of the LDAP server (also called a 'Directory System Agent' (DSA)) that stores the User names and passwords. This is the LDAP server to which ClearSCADA will connect when verifying the log on details against the LDAP User Profiles. For this reason, the ClearSCADA server needs a valid network connection to that LDAP server.

    If ClearSCADA is unable to connect to the Windows/LDAP server when it attempts to verify a user's credentials, that user will still be able to log on to ClearSCADA providing that they:

    • Log on within the Cached Password Expiry time (see below)
    • Enter the username and password of a valid user account that exists (and is enabled) in the ClearSCADA database.
  8. If you have chosen LDAP or LDAP SSL as the Authentication Method, you need to define the LDAP Port. This is the number of the port that is used by the LDAP authentication server to communicate with the ClearSCADA server.

    By default, ClearSCADA uses the standard LDAP port, which is often appropriate for many systems. However, you can change the LDAP port if required.

    If you are unsure which port is being used, please contact your IT department or the administrators responsible for configuring the authentication server. They will have specified a port when they set up the authentication server.

  9. Leave the default setting of 150 seconds in place in the Cached Password Expiry field. You only need to adjust this setting if there are delays when logging on to your system (see Change the Cached Password Expiry Associated with External Authentication).

    You can extend the Cached Password Expiry time if the connection to the Windows server/LDAP server fails. To do this, enter a value in the Connection Failure Cached Password Expiry field that is at least as much as the Cached Password Expiry value. For example, if the Cached Password Expiry value is 150 seconds, enter a value of 150 seconds or higher. To disable this feature, enter a value of 0 seconds in the Connection Failure Cached Password Expiry field. The default value is 0 seconds.

    For more information about this property, see Change the Cached Password Expiry Associated with External Authentication.

  10. By default, a user can only log on to ClearSCADA using a valid ClearSCADA user account. When used in conjunction with External Authentication, the Windows or LDAP user account that is associated with the ClearSCADA user account will be used for the authentication process.
    • Clear the Allow Login to ClearSCADA with Windows/LDAP User Names check box to retain the default settings. Users will only be able to log on to ClearSCADA with valid ClearSCADA user accounts.

      If the Use External Authentication option is selected on the User Form in ClearSCADA, the External Authentication feature will be used and the user will be authenticated using Active Directory/LDAP and their ClearSCADA username and password. If a Windows/LDAP username is configured for the user account, then that will be used instead of their ClearSCADA username for the external authentication.

      (If a user attempts to log onto ClearSCADA using their Windows/LDAP username and this differs from the corresponding ClearSCADA username, the logon attempt will fail.)

    • Select the Allow Login to ClearSCADA with Windows/LDAP User Names check box to enable users to log on to ClearSCADA using the Windows/LDAP username that is associated with their ClearSCADA user account. This option is useful if, for example, you want users to be able to log on to ClearSCADA using their more familiar Windows/LDAP user accounts, but the usernames used for those accounts include characters that are invalid in ClearSCADA usernames (see Naming Restrictions). With this option selected, users will be able to log on to ClearSCADA using those Windows/LDAP usernames as an alternative to logging on via their ClearSCADA usernames.

      (If the Windows/LDAP usernames are identical to the corresponding ClearSCADA usernames, this option will have no effect.)

      Regardless of the setting of this check box, for those user accounts that are to use External Authentication, Windows/LDAP usernames have to be configured on a per ClearSCADA user account basis if the usernames of those accounts differ to the corresponding ClearSCADA usernames (see Define whether a User is Associated with a Windows or LDAP User Profile). (For example, if the Windows/LDAP user accounts use a different naming convention that includes characters that are not supported for ClearSCADA usernames (see Naming Restrictions).)

  11. Select the Create Users Automatically from Group Membership check box if system administrators are to manage ClearSCADA user accounts centrally in Active Directory/LDAP. If a new user attempts to log on to ClearSCADA via ViewX or WebX, ClearSCADA will attempt to locate a Windows domain (Active Directory) user or LDAP user with the user credentials that have been entered. If such a user exists in Active Directory/LDAP but not in ClearSCADA, a new user account will be added to ClearSCADA automatically, to correspond with the Active Directory/LDAP user account. The use of User Pattern and other related configuration is required in ClearSCADA to enable such integration - see Integrate ClearSCADA User Accounts with Active Directory or LDAP User Accounts.

    Clear the check box if ClearSCADA is to use other aspects of External Authentication, but system administrators are to create user accounts in ClearSCADA manually, rather than integrate the creation of such accounts with Active Directory/LDAP.

  12. If you have chosen LDAP or LDAP SSL as the Authentication Method, enter the LDAP user base search path. This is the Distinguished Name (DN) for the entry containing the users. With LDAP, the full Distinguished Name takes the form of a series of CN (Common Name), OU (Organizational Unit), and DC (Domain Component) entries.

    The user can be found in any part of the tree starting at this object. For example, specifying CN=Users,DC=dc,DC=example,DC=com would allow users to be found in CN=Site1,CN=Users,DC=dc,DC=example,DC=com.

    If an invalid path is entered then it will prevent externally authenticated users from logging on.

    Note that this path is only required for group membership lookup, and not for authentication. If a user is authenticated and cannot be found in the entered path then they will appear to have no group memberships.

  13. If you have chosen LDAP or LDAP SSL as the Authentication Method, enter the LDAP group base search path. This is the Distinguished Name (DN) for an entry containing groups. As with the LDAP user based search path, the groups can be in any part of the tree starting at this object. Only groups found within this path will be used for matching against groups in ClearSCADA.

     

    If you have the following tree:

    • Users
      • User1 (member of: Development.Group1, Development.Group2, Test.Group1)
    • Development
      • Group1
      • Group2
      • Group3
    • Test
      • Group1 (member of: Development.Group3)

    If you specify Development as the group search base then the groups returned for User1 will be Development.Group1 and Development.Group2.

    As User1 is a member of Test.Group1, ClearSCADA will discard that user entry and will not follow that membership chain further. As such Development.Group3 will not be discovered, even though it is in the correct part of the tree, as finding it would require ClearSCADA to run a query on an object outside of the designated part of the tree.

  14. Apply the changes to the server.
  15. To authenticate ClearSCADA user accounts against those in Windows/LDAP, you need to configure the ClearSCADA user accounts to use the Use External Authentication feature. For more information, see Define whether a User is Associated with a Windows or LDAP User Profile. You can also associate ClearSCADA User Groups with Windows domain groups or LDAP user groups. If you do this, ClearSCADA checks the user's group membership against that in Windows/LDAP whenever the user logs on to ClearSCADA, and automatically updates their ClearSCADA User Group membership accordingly. For more information, see Associate a ClearSCADA User Group with a Windows Domain Group or LDAP User Group.

    If you opted to Create Users Automatically from Group Membership, you also need to set up suitable User Patterns and other related configuration to enable ClearSCADA user accounts to be created and maintained centrally using Active Directory/LDAP user profiles (see Provide Settings for Automatic User Creation, and see Create User Accounts from a User Pattern).

When you have enabled the External Authentication feature and defined the required settings, the External Authentication process is ready to use. The feature is applied to every ClearSCADA user account that is configured to use External Authentication.

Further Information

Original WebX Security Settings, Connection Settings and Preferences


Disclaimer

ClearSCADA 2017 R3