i4scada Login Procedure
Read this article to learn more about the i4scada Login procedure and the Security Services handling them. Chose the option which suits you?
The i4scada login procedure is structured on three levels: Client, WebServices and Server. Each level handles a different set of operations, thus securing the i4scada system and providing a simplified login procedure.
Client level
At this level, the login procedure is initiated by the user, using the HTML components wf-user-login or wf-user-login-basic. There are three login scenarios supported by the clients:
The WEBfactory login - using the username and the password defined in i4scada User Manager and stored in the i4scada database.
The Domain user login - using the username and password defined in Active Directory.
The Windows user login - using the credentials of the user which is currently logged in Windows.
WebServices level
At this level, the login is handled by the Security Service and the NTLM Service. The login is either initiated by a client, as mentioned above, or programmatically, using the methods exposed by the services mentioned earlier.
While the Security Service handles the WEBfactory and the Domain user login, using either the provided username and password, the NTLM Service handles the Windows user login.
To be able to achieve this login, the NTLM Service forces the IIS to use only Windows Authentication, disabling the IIS Anonymous Authentication. Because of the Windows Authentication mode of IIS, when attempting a Windows user login for the first time, the IIS might ask the user to input the username and password of the Windows user, which are further used in the login procedure. The IIS prompt for Windows username and password can be set to remember the credentials, thus the next Windows user login attempts will no longer trigger the IIS request for username and password.
Server level
At this level the actual login is performed. The i4scada server handles the different login methods using different approaches.
For WEBfactory login attempts, the server validates the user's username and password against the credentials stored in the i4scada database. If the validation succeeds, the server applies the Authorization Groups available in the i4scada database for that user.
For Domain user login attempts, the server validates the username and password against the Active Directory. If the validation succeeds, the user's Authorization Groups from Active Directory are matched against the user's Authorization Groups from the i4scada database and the matching Authorization Groups are applied.
For Windows user login attempts, the server validates the user against Active Directory by checking inside Active Directory if the user is a member of the domain specified in i4scada Studio. If the validation succeeds, the user's Authorization Groups from Active Directory are matched against the user's Authorization Groups from the i4scada database and the matching Authorization Groups are applied.