OS Auth. User Administration Notes
- For changing the WinCC OA user administration to the OS.Auth. user administration, the executing must be assigned to groups in the Active Directory with the corresponding required user rights (authorization) in WinCC OA.
- You cannot add or delete users under OS.Auth. user administration. This must be done by the domain administrator.
- Users deleted from the Active Directory are not deleted from the WinCC OA database since the users are required for historical
queries. Deleted users are marked as
_deleted
. - When logging in for the first time, the internal structures are prepared.
- Login attempts for new users take longer because no user groups exist yet.
- OS authentication in a mixed operating system environment (for example a Linux server, and a remote UI running on a Windows client) does not work with Client side authentication due to the differences of the external user IDs on the different systems. This external user ID is used to uniquely identify a certain user. Therefore, if it changes from system to system, it will cause certain problems, for example, when creating a user on the first login. In these mixed environments with OS Authentication, the Server Side Authentication feature must be used.
pararemote=1
license cannot be used if you use OS Auth. and your PC is not a member of the Active Directory (AD) where the servers are connected. Note also that a remote UI cannot change to the OS Auth. mode if the PC where the RemoteUI is running is not a part of the AD.- If the Active directory is offline or cannot be reached a login with a Windows domain user is not possible anymore!
- Increase the number of debugging levels (on operating system and WinCC OA level) to be able to analyze login problems.
-
When using OS-Auth., groups are not inherited within WinCC OA.
Example:
User A belongs to the group "Test-Group".
Test-Group is a member of "Master-Group".
Master-Group is permitted in WinCC OA with the bits 1,2,3 and 4.
If the user now tries to log in, this does not work because the "Test-Group" group does not inherit from the "Master-Group".
You must therefore add the user directly to the "Master-Group" or configure the bits for the authorisations directly for the "Test-Group".
Authentication Errors
An "Authentication error" is shown due to the following reasons:
- Wrong user name,
- Correct user name but incorrect password,
- Correct user name but user is not part of any user group,
- Correct user name and the user belongs to the user groups but none of the groups has the appropriate permission,
- Correct user name but password of the account has expired (only when using Linux),
- Correct user name and password but the account is expired or deactivated (only when using Linux).