Operating System Authentication - User Administration

The WinCC OA user administration panel allows the selection of the Operating System Authentication (OS Auth.) user administration. This means that the usergroups for a user are adopted from the Windows or Linux administration.

The OS Auth. user administration is platform independent and it enables a central administration of all users and user rights. Via the OS Auth. user administration you can, for example, query under Linux the users of the Windows Active Directory.

Activation of the OS based User Administration for Windows or Linux system is the common choice to avoid problems caused by a weak password. On a Windows system this feature needs a running active directory.

An active directory system allows the use of mandatory requirements regarding the password strength which can be configured via the group policy editor. With enforced settings you can ensure a good and strong password for users. This protects the project from the use of weak passwords.

Beside a strong password, an OS based user authentication mechanism allows the synchronization of users and groups inside a domain. This makes it easier to trigger a login to a WinCC OA project running on host within the same domain.
Note: Multidomain environments are not supported by WinCC OA.
Note:

If OS Auth is used, the Active Directory password policy and the WinCC OA password policy may diverge (this may also happen later during operation).

For this case the password policy of WinCC OA must be deactivated or set to less strict or equal policy as the Active Directory.

Ideally, you should disable the WinCC OA password policy or set as described above already when setting up the OS Auth. Otherwise this could lead to the problem that a user cannot log in because the policies are different.

The group rights for the adopted groups have to be defined in WinCC OA. See chapter groups for more information. The OS Auth. user administration can be used like the WinCC OA administration with the exception that users or groups cannot be added or deleted.

When a user logs in, the system checks if the user is known in the system.

If the user exists in WinCC OA but not in the domain (exception root user), the user is deleted from WinCC OA.
Note: When you switch to the (OS Auth.) user administration, also the emergency users are deleted.

For user authentication, only Windows domain servers are used; local users and work groups are not supported.

When a user logs in WinCC OA and not all groups of the user exist in WinCC OA, the missing Windows/Linux groups of the user are automatically created.

Under Linux the PAM pluggable authentication methods are used for the authentication. PAM supports the login of the configured users from an Active Directory domain. PAM provides an independent authentication method such as LDAP, Winbind. For how to configure the PAM library model see the chapter Linux User Administration.

Note: Local users cannot be used when using Operating System Authentication (OS Auth).
Note: Operating system changes are synchronized to WinCC OA within an hour. If you want to synchronize the changes faster, you can use the config entry checkADAuthIntervall (the default synchronization interval is one hour) or restart the project.
CAUTION: To activate OS-Auth when using SSA, proceed as follows:
  • Comment out #accessControlPlugin = "AccessControlPlugin" in the project config file.
  • Restart the project and log in as root.
  • Open the User Management panel and switch to OS-Auth.
  • Now you can perform the engineering or activate the plug-in first and then perform the engineering.

How to choose the OS Auth. user administration, use the OS Auth. user groups and log in to WinCC OA is described in the following chapters.