Skip to main content

WEBfactory 2010

WFUserManager Active Directory Integration

Active Directory Integration
User management

A project engineer can define explicit WEBfactory 2010 users or activate Active Directory security for WEBfactory 2010 .

If Active Directory security is active then the log-in with valid Active Directory credentials will be accepted also within WEBfactory 2010 .

Users that log-in with valid Active Directory credentials will be granted with those WEBfactory 2010 authorizations that belong to authorization groups which have the same name as those Active Directory roles/ user groups that were granted to the corresponding Active Directory user.

Example:

Active Directory user “Hans” belongs to Active Directory user groups “Scada Admins” and “Scada Users”. Also he belongs to Active Directory user groups “Administrators” and “Users”. Within WEBfactory 2010 there are also authorization groups called “Scada Admins” and “Scada Users”, but no authorization groups called “Administrators” and “Users”. Therefore Active Directory user “Hans” will be granted during log-on with all WEBfactory 2010 authorizations that belong to the WEBfactory 2010 authorization groups “Scada Admins” and “Scada Users”.

There will be a special dialog within the WEBfactory 2010 user manager where the project engineer can activate the Active Directory security for WEBfactory 2010 and where he also can define the name of the corresponding domain or workgroup.

In this dialog he can also define the default user settings for Active Directory users like “Auto-log off interval”, “User level”, “Max. failed log-ons”, etc …

When a user logs-in with valid Active Directory credentials a corresponding user entry will be created inside the WEBfactory 2010 database if it doesn’t already exist as this is required for the referential integrity of the database management system which is behind WEBfactory 2010 .

The initial user settings will be adopted from the Active Directory default user settings that were defined by the project engineer.

Also there will be an additional user property that defines if a user account belongs to a WEBfactory 2010 user or an Active Directory user.

The password verification for Active Directory users while log-on will always be done in real-time against the Active Directory server. The WEBfactory 2010 system will not store any Active Directory user passwords.

Using Local Users instead of Active Directory Users

Using Local Users in WEBfactory 2010 login requires the following settings:

  • Set the Computer Name for the local machine the same as the Domain Name in WEBfactory 2010Studio Settings > server > General.

WF_SE_524.jpg

Domain Name in WEBfactory 2010Studio

NOTE

Usernames are case sensitive! The Username must be written using the same case as it is in the Local User list.

  • The Local Groups must have the same name as the Authorization Groups from the WEBfactory 2010 User Manager.

User login control

The WEBfactory 2010 user login control will support to log in with WEBfactory 2010 user credentials as well as with Active Directory Credentials.

At login time the user can define if he wants to login as a WEBfactory 2010 or an Active Directory user to the WEBfactory 2010 system. Therefore there will be an option group available within the login dialog of the control.

This option group can be disabled by the project engineer during design-time. In this case the project engineer can define also at design time if the users will be logged in always as WEBfactory 2010 or as Active Directory users.

The WEBfactory 2010 user login control will support auto-login operations

  1. when the visualization was just started and

  2. when a user logged out manually or was logged out by the system.

Therefore there will be 4 additional properties that can be set by the project engineer during design time.

  1. AutoLoginAtStartup

  2. AutoLoginAfterLogout

  3. InitialUserName

  4. InitialUserPassword

The first 2 additional properties can take the following values:

  1. No auto login

  2. Login current windows user

  3. Login initial user

By this properties the project engineer can define if no user, the current windows user or a default user should be logged in automatically either at startup of the visualization or when any user was logged off and there is currently no user logged in.

WEBfactory 2010 Server

The WEBfactory 2010 Server can validate WEBfactory 2010 user credentials as well as Active Directory user credentials.

In case of Active Directory user credentials the WEBfactory 2010 Server will forward the login request to the domain/ workgroup controller.

In case of successful user verification either of a WEBfactory 2010 user or an Active Directory user the WEBfactory 2010 Server will grant the new user session with the correct WEBfactory 2010 authorizations.

For WEBfactory 2010 user there will be no changes in calculating the appropriate list of authorizations.

For Active Directory users the server will grant those WEBfactory 2010 authorizations to the new user session that belong to authorization groups which have the same name as those Active Directory roles/ user groups to which the logged-in Active Directory user belongs to.

After the login operation there will be no difference between user sessions that belongs to a WEBfactory 2010 user or an Active Directory user by any means.