SSO works fine for Remote project, but I can't manage to make it work for ULC UX.
ULC UX always asks me for AD credentials no matter what I try..
Probably - is it necessary to use SSA (Server Side Authentication) for SSO? Or is it totally different feature?
I also used SSA in my project with the following parameters:
[webClient]
serverSideAuth = 1
rootPanel = "vision/loginServer.pnl"
[httpServer]
uiArguments = "-p vision/loginServer.pnl -server https://SERVERNAME/ -ssa"
But it doesn't help me with SSO either.
Kind Regards,
Andrey Serov
Is it really possible to use Single Sign On (SSO) for ULC UX Client?
Search
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
Hi,
Maybe some restrictions are applied here:
SSO can only be used if the client (browser) is located inside the same domain as the WinCC OA project and the HTTP server. Therefore SSO cannot be used from external networks!
Currently a user has to be registered in the user management of the WinCC OA system before a login with the ULC UX is possible.
Currently SSO cannot be used with the Chrome browser.
(from help)
Maybe some restrictions are applied here:
SSO can only be used if the client (browser) is located inside the same domain as the WinCC OA project and the HTTP server. Therefore SSO cannot be used from external networks!
Currently a user has to be registered in the user management of the WinCC OA system before a login with the ULC UX is possible.
Currently SSO cannot be used with the Chrome browser.
(from help)
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
Also it looks like to have more steps than just -ssa
How Single Sign-On Works
The following steps demonstrate how SSO is working for the ULC UX
A user accesses the web server via the web browser and automatically provides the user credentials via secure HTTPs – “negotiation” authorization.
The WinCC OA Web Server checks whether the user credentials are stored and authorized in the Key Distribution Service (Active Directory in case of Windows and Kerberos in case of Linux). If user is authorized the process continues from step 5 in this list.
If there are no credentials stored for this user or error at authorization occurs (e.g. wrong password) the user’s browser prompts a logon form and has to logon manually.
The User supplies credentials.
The WinCC OA Web Server starts the WinCC OA user interface with the provided credentials. The User Interface itself automatically tries to logon the user with the provided credentials to the WinCC OA project running on the WinCC OA server. If the login fails or the user does not exist the login panel is shown.
If the User’s credentials are not stored within the WinCC OA project, a WinCC OA Administrator has to add the user to the project either via
Login one time via native Client on the WinCC OA server in case of activated Windows authorization
or
Create the user manually via WinCC OA user management.
How Single Sign-On Works
The following steps demonstrate how SSO is working for the ULC UX
A user accesses the web server via the web browser and automatically provides the user credentials via secure HTTPs – “negotiation” authorization.
The WinCC OA Web Server checks whether the user credentials are stored and authorized in the Key Distribution Service (Active Directory in case of Windows and Kerberos in case of Linux). If user is authorized the process continues from step 5 in this list.
If there are no credentials stored for this user or error at authorization occurs (e.g. wrong password) the user’s browser prompts a logon form and has to logon manually.
The User supplies credentials.
The WinCC OA Web Server starts the WinCC OA user interface with the provided credentials. The User Interface itself automatically tries to logon the user with the provided credentials to the WinCC OA project running on the WinCC OA server. If the login fails or the user does not exist the login panel is shown.
If the User’s credentials are not stored within the WinCC OA project, a WinCC OA Administrator has to add the user to the project either via
Login one time via native Client on the WinCC OA server in case of activated Windows authorization
or
Create the user manually via WinCC OA user management.
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
Hello, thank you for quick reply.
Yes, every prerequisite is done (moreover, SSO already works in Remote project):
Is panel loginServer.pnl - the correct panel for SSO for ULC UX? I am asking, because there is a piece of code in loginServer.pnl:
if(ui.isSSOEnabled())
{
string message = getCatStr("OaLogin", "authentication_type_invalid");
throwError(...);
displayFailedLogin();
return;
}
And I am getting this "authentication_type_invalid" message in ULC UX.
So it looks like loginServer.pnl is not designed fo SSO.. What panel can be used instead of loginServer.pnl?
Yes, every prerequisite is done (moreover, SSO already works in Remote project):
- - The client (browser) is located inside the same domain as the WinCC OA project and the HTTP server.
- A user was registered in the user management of the WinCC OA system before a login with the ULC UX is possible.
- I use IE and Mozilla browsers
- First login was performed in native Client (via Remote project)
Is panel loginServer.pnl - the correct panel for SSO for ULC UX? I am asking, because there is a piece of code in loginServer.pnl:
if(ui.isSSOEnabled())
{
string message = getCatStr("OaLogin", "authentication_type_invalid");
throwError(...);
displayFailedLogin();
return;
}
And I am getting this "authentication_type_invalid" message in ULC UX.
So it looks like loginServer.pnl is not designed fo SSO.. What panel can be used instead of loginServer.pnl?
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
SSA (Server Side Authentication) is not SSO (Single Sign On).
You can use them without using the other one.
Which WinCC OA version and patch level are you using?
Normally the panel vision/login.pnl is used for the login. To activate SSO for a specific client machine you have to set the Workstation permissions.
Maybe when using ULC UX the hostname must be the hostname of the server where the CTRL manager for the HTTP-server is running. The UI is started at this computer.
I did not test it, it is just an additional input from my side.
Best Regards
Leopold Knipp
Senior Support Specialist
You can use them without using the other one.
Which WinCC OA version and patch level are you using?
Normally the panel vision/login.pnl is used for the login. To activate SSO for a specific client machine you have to set the Workstation permissions.
Maybe when using ULC UX the hostname must be the hostname of the server where the CTRL manager for the HTTP-server is running. The UI is started at this computer.
I did not test it, it is just an additional input from my side.
Best Regards
Leopold Knipp
Senior Support Specialist
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
I use 3.15 patch 10 - the latest one
Workstation permissions (32bit = 1) are set correctly.
Permissions for user is set correctly (not a root)
HTTP-server is running on the same server where the project is running.
Concerning panel vision/login.pnl :
It has an indicator for SSO status in its code:
bActivatedSSO = activatedSSO()
I checked its value (by DebugN):
When I run ULC UX - it returns FALSE
When I run Remote project - it returns TRUE - and SSO is really working for Remote project
But the function activatedSSO() - is encrypted in login_internal.ctc, so I can't do anymore here
Can you advice me what can I try else to understand my problem?
Workstation permissions (32bit = 1) are set correctly.
Permissions for user is set correctly (not a root)
HTTP-server is running on the same server where the project is running.
Concerning panel vision/login.pnl :
It has an indicator for SSO status in its code:
bActivatedSSO = activatedSSO()
I checked its value (by DebugN):
When I run ULC UX - it returns FALSE
When I run Remote project - it returns TRUE - and SSO is really working for Remote project
But the function activatedSSO() - is encrypted in login_internal.ctc, so I can't do anymore here
Can you advice me what can I try else to understand my problem?
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
I had a look at the code for activatedSSO(). There is no check for the UI type in this function.
Does SSO work if you start a UI from the console or a Desktop-UI on the server machine?
Best Regards
Leopold Knipp
Senior Support Specialist
Does SSO work if you start a UI from the console or a Desktop-UI on the server machine?
Best Regards
Leopold Knipp
Senior Support Specialist
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
Yes, SSO works in both cases - when I start UI from the console and when I start DesktopUI.
SSO does not work only in ULC UX
SSO does not work only in ULC UX
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
I have tested it and SSO works for the ULC UX client also.
In the list of workstations you have to add the ULC UX client and configure permission bit 32. I opened the panel for the workstation configuration in the ULC UX client and added the own host by clicking at "My Screen". The hostname is written with "ulc@".
Best Regards
Leopold Knipp
Senior Support Specialist
In the list of workstations you have to add the ULC UX client and configure permission bit 32. I opened the panel for the workstation configuration in the ULC UX client and added the own host by clicking at "My Screen". The hostname is written with "ulc@".
Best Regards
Leopold Knipp
Senior Support Specialist
Re: Is it really possible to use Single Sign On (SSO) for ULC UX Client?
Now it's working, thank you very much!
Kind Regards,
Andrey Serov
Kind Regards,
Andrey Serov