Configure network-based security logon using Active Directory

Network-based security enables managing user accounts and user groups centrally. It allows network users to log on to an HMI device, authenticate with the Active Directory, and be granted authorization rights based on their role.

When network-based logon is used for a project, local users still may be configured and used on the terminal (for example for back-up). You can switch to local users on the logon pop-up in runtime.

Active Directory properties may vary depending on your company and the complexity of system architecture. If you find any problems during configuration, contact your Active Directory administrator.

TIP: Leaving the

Connection

fields blank will have the panel use local users at runtime.

Ensure that the logon method is set to use the user name and password:

From the main menu, select Project
> Project Properties.

In the Project Properties
window, select the
Log On Method
tab.

Select the Use user name/password for logging on
radio button.

To configure network-based security logon:

From the main menu, select Tools
-> Security Administration
.

In the Security Administration window, select the Connection and Groups
tab.

In the Connection
section, fill in the required fields.

In the Domain Name
field, enter your corporate domain.

IMPORTANT:

During the Active Directory logon process, user name
and configured
Domain name
are combined to define the User Principal Name,
in the format <username>@<domain>.com. It is sent with a password to the domain controller for authentication.

The username used for the
User Principal Name
must be used during Active Directory logon.

Correct format: jamessmith@domain.com,

Incorrect format: domain.com\jsmith

In the Domain Controller
field, enter the full address of the Active Directory server.

In the Port
field, enter the number of the port.

TIP: Typical default ports are: no encryption – 389, StartTLS – 389, LDAPS – 636.

In the
Domain Distinguished Name
field, enter your domain distinguished name.

DC=domain,DC=com

If the connection requires encryption, select the encryption method.

IMPORTANT: Not using encryption for network-based authentication results in sending username and password as plain text over the network. This creates a security risk.

To use StartTLS or LDAPS encryption for logon, you are required to import the proper security certificate to the terminal by using the Certificates setting screen.

In the Groups and Roles section, click Configure network-based security logon (1)

next to Add new User Group.

TIP: You can add and define multiple groups.

In the new section that appears, enter the following information:

In the User Group Distinguished Name
field, enter a distinguished name of a group.

CN=Operators,OU=Groups,DC=domain,DC=com

In the drop-down menu next to the
User Group Distinguished Name
field, select the role you want to assign to the group.

TIP: You can remove a group by clicking Configure network-based security logon (2)

At runtime, when someone logs in, the Active Directory returns the group membership of that user. Now this group is mapped to a role, so the user gets the security role mapped to the Active Directory group they belong to. If a user belongs to multiple groups with different roles, they will get the first role configured in this list. If a user does not belong to any group mappings, the user will receive an error message on the PanelView 5000 when they log on.

Click

TIP: Active Directory properties may vary, depending on your company and complexity of the system architecture. If You encounter any problems during configuration, contact your Active Directory administrator to obtain guidance or this configuration.