Unknown workstation error
Posted: Mon Aug 05, 2024 4:16 am
We are running WinCC OA 3.18 Patch 24 on RHEL 8.8 with 'OS Auth' for User Administration.
Our world-readable /etc/pam.d/wincc_oa file contains the following entries as per the documentation (https://www.winccoa.com/documentation/W ... linux.html):
We have also done the following as per the IMPORTANT note:
When changing a users password on the authentication server the new user credentials allow us to log in to the host operating system. However, when logging in to WinCC OA a Warning dialog box stating "Unknown workstation error" is shown. If we check the authentication server (Kerberos) it shows a successful authentication was made but it is WinCC OA that is not letting the user in. The log viewer contains the following messages when the dialog appears:
This has only just started to occur so we're not sure what could be causing it as we haven't changed WinCC OA version or patch recently. We are however hardening our system according to cyber security requirements so this may be the cause however as the authentication server is authenticating the login and it's just WinCC OA that is not letting the user in because it has 'No permission to change password', I feel the issue is within WinCC OA or maybe some specific file permissions it needs.
Is anyone able to assist with some more detail about the specific config, files and their permission requirements in association with running WinCC OA with 'OS Auth'? (further to those seen in the documentation, e.g world-readable pam.d file and sssd enumerate=true config)
Our world-readable /etc/pam.d/wincc_oa file contains the following entries as per the documentation (https://www.winccoa.com/documentation/W ... linux.html):
Code: Select all
auth include password-auth
account include password-auth
password include system-auth
session include system-authWhen using OS Authentication on Linux it is necessary to enable the user enumeration. Under RHEL this can be done by setting the line enumerate = True within the file /etc/sssd/sssd.conf.
When changing a users password on the authentication server the new user credentials allow us to log in to the host operating system. However, when logging in to WinCC OA a Warning dialog box stating "Unknown workstation error" is shown. If we check the authentication server (Kerberos) it shows a successful authentication was made but it is WinCC OA that is not letting the user in. The log viewer contains the following messages when the dialog appears:
Code: Select all
WCCOAui (19), 2024.08.05 11:43:14.339, CTRL, SEVERE, 5/ctrl, Location of the following log entry:
Module: Vision_1
Panel: /home/Projects/MTLIB/panels/vision/login.pnl [Login]
In reference: vision/loginFramework/login_Standard.pnl Group: 0 named: "vision/loginFramework/login_Standard.pnl"
Script: ScopeLib
Library: /opt/WinCC_OA/3.18/scripts/libs/classes/userManagement/UserManagement.ctl
Line: 603
WCCOAui (19), 2024.08.05 11:43:14.339, PARAM,SEVERE, 0, , No permission to change password
WCCOAui (19), 2024.08.05 11:43:14.348, CTRL, SEVERE, 1/OaLogin, Unknown workstation errorIs anyone able to assist with some more detail about the specific config, files and their permission requirements in association with running WinCC OA with 'OS Auth'? (further to those seen in the documentation, e.g world-readable pam.d file and sssd enumerate=true config)