Windows AD Authentication - User Names with Spaces
WinCC OA AD authentication does not like this, because OA usernames do not support spaces.
So I have tried implementing UserDefined authentication to bridge the gap between these, and have got nearly everything working. The only thing that does not work is:
- if the user changes their password on the AD domain, then the user is unable to log on to WinCC OA any longer
To recover from this, I have to go in with PARA and poke the _Users datapoint so that WinCC OA does not recognise that user any more. Then, next time they log in, a new OA user is created for them.
Can anyone help me with this?
The mechanism I use is to ask the users to log in with underscore characters instead of spaces in their username (e.g. John_Smith), so WinCC OA has usernames without spaces.
I have inherited my UserDefined authentication class from the WinCC OA AD authentication class (OaAuthMethodAD). As far as possible, I try to call the function provided by that class. For instance, in my implementation of CheckUserPassword, I replace underscores in the username with spaces, and then call the OaAuthMethodAD implementation of CheckUserPassword. This successfully authenticates the username (which now includes spaces) against Active Directory. Active Directory group membership then successfully determines the privileges that the user has on the WinCC OA system.
But if the user changes their password on Active Directory, the user cannot then log on to WinCC OA. I can see that CheckUserPassword is correctly authenticating the user and their new password. My OaAuthMethodUserdefined::mustCreateUser function is then called, and I call OaAuthMethodAD::mustCreateUser. Curiously, this returns TRUE, although the user (john_smith) exists in WinCC OA. (Actually, the TRUE return happens whether the password has been changed or not). So I have to work out whether the user already exists and change the return to FALSE - otherwise I get the error message that the user cannot be created.
I can also see a call to OaAuthMethodUserdefined::getExternalIdForOSUser function, with a blank username. There is no problem with this, it seems to happen quite often and returns the SID for the Windows logged on user (not necessarily John Smith).
Then the login dialog displays an "Authentication error" popup. This is before any functions of UpdateUserGroups.ctl activate. I have seen that there are functions here that are triggered following a successful user logon.
There is no problem for users that do not have spaces in their name (e.g. JohnS). They can change their AD password, and can still log in to WinCC OA afterwards. I can see the _Users.Password datapoint element changing as their encrypted password is updated.
Can anyone help with this? Is there some further function that I need to override in my UserDefined class? Or adapt / modify other functions? At present, there no changes other than to the UserDefined authentication class.