Hi,
I'm having an issue logging in using windows user administration when the domain controller is offline. The log in works when the domain is available & the user is added to the _Users dp. When the domain is not available the login fails with the following log entries:
WCCOAui (2), 2018.01.25 12:00:30.772, SYS, INFO, 0, , UserInfo, Connect, Connect to AD failed with error code 0x8007054b
WCCOAui (2), 2018.01.25 12:00:30.778, SYS, INFO, 0, , ActiveDirectory: , The specified domain either does not exist or could not be contacted
WCCOAui (2), 2018.01.25 12:00:30.794, PARAM,INFO, 0, , Login faild: username or password wrong
Using WinCC OA 3.15 Patch 7
Thanks,
Ellen
Windows user administration no domain
- leoknipp
- Posts:2928
- Joined: Tue Aug 24, 2010 7:28 pm
Re: Windows user administration no domain
If the domain controller is not available the login in WinCC OA is not possible by design.
If the user is still valid and which permissions are set cannot be read in this situation and thefefore the login is denied.
Best Regards
Leopold Knipp
Senior Support Specialist
If the user is still valid and which permissions are set cannot be read in this situation and thefefore the login is denied.
Best Regards
Leopold Knipp
Senior Support Specialist
- ewoenne
- Posts:62
- Joined: Thu May 12, 2016 10:35 am
Re: Windows user administration no domain
Thanks for the reply, the help states:
'Because of saved user data in the local WinCC OA database, the user can log into the WinCC OA system, even if the AD (Active Directory) network is not accessible. To use this functionality, the user had to be logged in at least once when the AD was accessible.'
This functionality is not available?
'Because of saved user data in the local WinCC OA database, the user can log into the WinCC OA system, even if the AD (Active Directory) network is not accessible. To use this functionality, the user had to be logged in at least once when the AD was accessible.'
This functionality is not available?
- schneebergera
- Posts:89
- Joined: Sun Apr 03, 2016 5:52 pm
Re: Windows user administration no domain
Hello,
seems that the 'statement' isn't correct. Due "security reasons" this feature was improved.
Basically, WinCC_OA uses so-called "Network Management Functions" ("Windows API").
They are used for functions such as [getAllOSGroups (), getAllOSUsers (), getCurrentDomainName (), getWindowsEvents (), and verifyOSUser ()].
With active Windows user administration, a connection to the AD must exist, otherwise the integrity of the log-in user can not be checked against the AD (verifyOSUser). In the case of loss of connection or no availability of the AD (which in any case represents an emergency case on a system), only the root user is possible.
However, the entire login functionality can be bypassed individually via HOOK functions and replaced by own checking mechanisms, if necessary.
best regards,
Andreas
seems that the 'statement' isn't correct. Due "security reasons" this feature was improved.
Basically, WinCC_OA uses so-called "Network Management Functions" ("Windows API").
They are used for functions such as [getAllOSGroups (), getAllOSUsers (), getCurrentDomainName (), getWindowsEvents (), and verifyOSUser ()].
With active Windows user administration, a connection to the AD must exist, otherwise the integrity of the log-in user can not be checked against the AD (verifyOSUser). In the case of loss of connection or no availability of the AD (which in any case represents an emergency case on a system), only the root user is possible.
However, the entire login functionality can be bypassed individually via HOOK functions and replaced by own checking mechanisms, if necessary.
best regards,
Andreas
- jstein
- Posts:8
- Joined: Fri Nov 19, 2010 1:48 pm
Re: Windows user administration no domain
Hi all,
that's not correct. I just tested this, and it worked fine for me.
I switched to windows user management, logged in with my AD user, logged out, cut the network connection to the AD, logged in again, and it worked.
You just get warnings in the log that the AD does not exist, but basically you can log in. I tested this with 3.15-P007.
br,
Jochen
that's not correct. I just tested this, and it worked fine for me.
I switched to windows user management, logged in with my AD user, logged out, cut the network connection to the AD, logged in again, and it worked.
You just get warnings in the log that the AD does not exist, but basically you can log in. I tested this with 3.15-P007.
br,
Jochen
- schneebergera
- Posts:89
- Joined: Sun Apr 03, 2016 5:52 pm
Re: Windows user administration no domain
Hello,
just to clarify ...
as already informed, the login mechanism has been changed (security enhancements) according to the active directory.
In fact, there is a task on development side because "single sign on" login is done only once even when active directory is not running.
Moreover, please refer to "oa_help" to receive more information according new feature "User-defined external authentication" within 3.15.
[Special Features - Security - Authentication - User-defined external authentication]
with best regards,
Andreas
just to clarify ...
as already informed, the login mechanism has been changed (security enhancements) according to the active directory.
In fact, there is a task on development side because "single sign on" login is done only once even when active directory is not running.
Moreover, please refer to "oa_help" to receive more information according new feature "User-defined external authentication" within 3.15.
[Special Features - Security - Authentication - User-defined external authentication]
with best regards,
Andreas