Enable Windows® Authentication

All VTScada accounts will continue to exist when Windows Security Integration (WSI) is enabled. You may choose to disable some or all local accounts in favor of domain accounts.

Windows security groups map to VTScada roles with the addition of "VTScada-" before the role name. Thus, the role "Operator" maps to the security group, "VTScada-Operator" and the role, "SuperUser" maps to the group, "VTScada-SuperUser".

The prefix "VTScada-" is stored in the application property, ADGroupPrefix, where you may change it if desired. VTScada roles, including role names and assigned privilege sets, are under the control of anyone with the Manager security privilege.

Review the related notes before proceeding: Windows Authentication Notes

Clicking the option, Enable Windows Security Integration in the Administrative Settings dialog is step 6 in the instructions, which follow two steps of preparation. Do not rush ahead.

Preparation

  1. Ensure that the VTScada workstation is running as a member of a Windows domain.
    The "Enable Windows Security Integration" check box is disabled if VTScada is started on a machine that is not a member of a Windows domain.
  2. Ensure that you are a Windows Domain Administrator, or that you have access to one who is available to assist with certain steps in the following procedure.

Enable Windows Security Integration

  1. Enable VTScada Security and create an account with the Manager and Administrator privileges.
  2. You are advised to set up preliminary VTScada roles and custom privileges at this time.
    Windows accounts are associated with VTScada roles as described above. You can add new roles and adjust privilege sets at any time.
  3. Have your Windows Domain Administrator create security groups that are named for the roles in your application.
    The Active Directory Security Group names should use the form "VTScada-RoleName".
  4. Ensure that your Windows user account is given membership in the appropriate Active Directory Security Groups from the previous step.
  5. Decide whether to enable the property AutoAddADUsers.
    Cannot be enabled when security realms are in use. (A user realm delimiter has been defined.)
    If enabled, domain accounts are created within VTScada with each successful logon.
    If not enabled, you must create a domain account in VTScada, using the form "username@company.com" for each user.
  6. Open the VTScada Administrative Settings dialog.
    ("Options" in the security menu.
     Ensure that the Advanced section of the dialog is expanded.)
  7. Select the option, Enable Windows Security Integration.
  8. Read, then acknowledge the warning.
  9. Click, OK.

Test by logging out, then sign in using your Windows account and password.

It is not possible to assign privileges or passwords to domain accounts. Privileges for these accounts are determined by their membership in domain groups, matching VTScada roles.

Troubleshooting:

  • Unable to sign in with your Windows account.

Ensure that your Windows account is associated with a Security Group, named correctly for the VTScada role.

You may need to allow the domain controllers several minutes for the change to propagate.

  • Upon signing in with just your user name, you are now signed in with a VTScada account rather than your Windows account.

Both a Windows account and a VTScada account exist with a matching user name. If this is by intent, use care to sign in with your full Windows account name, "User@company.com" when using your Windows account, and just "User" when using your VTScada account.