OS Auth - "Unable to create user"

eduardhc · Post by **eduardhc** » Wed Aug 04, 2021 5:04 pm

Hello,
We are trying to figure out how to use OS Auth in our AD setup, by following the guidelines described here --> https://www.winccoa.com/documentation/W ... in-16.html. Everything seems to work until we try to login using one of the existing AD users, as even if the system seems to correctly validate the password it then fails to login with an popup error with the following message: "Unable to create user".

Our setup is as follows:

1 Linux Samba4 AD controller.

2 redundant WinCC-OA Linux servers (Oracle Linux 8), running v3.18. These two servers run all managers in redundancy, except the UI ones.

Several Windows 10 terminal clients using WinCC-OA DesktopUI v3.18 to connect to synoptics project.

One (maybe) important point to notice is that only Windows client terminal are handled by AD samba controller. Linux servers are not tight to AD and have only some local accounts for administration.

Project deployed is configured to use standard user manager (WinCC-OA accounts). Then I try to activate OS Auth in the following way:

Login into a terminal client using one of the AD accounts (tried with and without administrative rights - no difference).

Start DesktopUI, connect to synoptics project using "root" account.

Go to "System Management -> "Permission" -> "User Administration": default WinCC-OA accounts are displayed, "OS Auth" option is available in "User Administration" menu, so apparently WinCC-OA correctly detects we are on a domain-controlled PC.

Switch to "OS Auth" user administration and confirm all the popups.

In group administration, I can import some groups from the domain controller and assign them permissions. No problems so far.

Close to connection to synoptics and close Desktop UI.

Relaunch DesktopUI, now login dialog correctly displays domain name in it.

Try to login using a domain account -> Fails with error popup "Unable to create user".

It's important to notice that, if I enter a wrong password the dialog correctly says "Authentication error", so it is actually validating the pasword via the AD controller. However, it seems to fail to create the corresponding WinCC-OA user for the domain user.

Only clue we have is the following error in the application log (client side):

Code: Select all

WCCOAui      (7), 2021.08.04 16:56:06.606, CTRL, SEVERE,      5/ctrl, Location of the following log entry: 
    Module: PVSS
    Panel: C:\Users\jdoe\.wincc_oa-cache\MCC_Synoptics\panels\vision\login.pnl [Login]
    In reference: vision/loginFramework/login_Standard.pnl Group: 0 named: "vision/loginFramework/login_Standard.pnl"
    Script: ScopeLib
    Library: C:\Users\jdoe\.wincc_oa-cache\MCC_Synoptics\scripts\libs\classes\userManagement\UserManagement.ctl
    Line: 577
WCCOAui      (7), 2021.08.04 16:56:06.606, PARAM,SEVERE,      0, , Error creating user: Cannot get external Id for user "jdoe"
WCCOAui      (7), 2021.08.04 16:56:06.668, CTRL, SEVERE,      6/OaLogin, Unable to create user

In server side the error is similar:

Code: Select all

WCCOActrl    (1), 2021.08.04 16:56:06.604, CTRL, WARNING,     5/ctrl, Location of the following log entry: /opt/WinCC_OA/3.18/scripts/commandChannel.ctl    Library: /opt/WinCC_OA/3.18/scripts/libs/classes/auth/OaAuthMethodAD.ctl
    Line: 221
WCCOActrl    (1), 2021.08.04 16:56:06.604, SYS,  WARNING,    54, Unexpected state, /opt/WinCC_OA/3.18/scripts/commandChannel.ctl    Library: /opt/WinCC_OA/3.18/scripts/libs/classes/auth/OaAuthMethodAD.ctl
    Line: 221, Invalid argument (22)

Any clue about the problem? What is this "external Id" is trying to determine?

leoknipp · Post by **leoknipp** » Wed Aug 04, 2021 10:05 pm

Possibly the problem is that the Linux servers are not bound to the AD system.
The user/password handling when creating a user is done in a CTRL script at the server. Therefore, the WinCC OA server must have access to the AD server.

If you need further assistance please get in contact with your common WinCC OA support.

Best Regards
Leopold Knipp
Senior Support Specialist

eduardhc · Post by **eduardhc** » Thu Aug 05, 2021 12:48 pm

Hi,
Tried adding Linux servers to domain after your suggestion. Getting closer but still doesn't work

.
Now, I'm getting the following error message in UI log:

Code: Select all

WCCOAui      (7), 2021.08.05 12:32:35.900, CTRL, SEVERE,      5/ctrl, Location of the following log entry: 
    Module: PVSS
    Panel: C:\Users\Administrator\.wincc_oa-cache\MCC_Synoptics\panels\vision\login.pnl [Login]
    In reference: vision/loginFramework/login_Standard.pnl Group: 0 named: "vision/loginFramework/login_Standard.pnl"
    Script: ScopeLib
    Library: C:\Users\Administrator\.wincc_oa-cache\MCC_Synoptics\scripts\libs\classes\userManagement\UserManagement.ctl
    Line: 577
WCCOAui      (7), 2021.08.05 12:32:35.900, PARAM,SEVERE,      0, , External Id does not match for user jdoe

In order to be able to reach this point I had also to set use_fully_qualified_names = False in /etc/sssd/sssd.conf, else it still couldn't get this infamous "external ID" that seems to be the responsible of the problem.

Now it's apparently getting it, but for some unknown reason it is not what it should. Any clues...?

Kind regards, and thank you for your support.
Eduard

leoknipp · Post by **leoknipp** » Mon Aug 16, 2021 8:28 am

If you need further assistance please get in contact with your common WinCC OA support.
They can do detailed analysis on this issue.

Does it work when you start a UI on the Linux server and you try to logon with a new user?

Best Regards
Leopold Knipp
Senior Support Specialist

Bugs / Problems