FactoryTalk View Machine Edition 8.xx and later Domain Authentication Support
Answer
Environment
PanelView Plus 6
PanelView Plus 7
FactoryTalk View Machine Edition version 8.00 introduced the ability to authenticate Windows Linked users that reside in Server 2008 and 2012 domains. A Windows Linked user account resides in a sub-network that contains the security database. This sub-network is called a domain. Using Windows Linked accounts means the same account can be used to log into a Windows computer or a FactoryTalk View Machine Edition application running on a PanelView Plus terminal.
Note: When creating Group names in the domain, the Group name (CN) must match the Pre-Windows 2000 Group name (samAccountName). The CN has a limit of 64 characters. The samAccountName does not support these characters: " / \ [ ] : ; = , + * ? < >
The PanelView Plus terminal will use LDAP (Lightweight Directory Access Protocol) to verify the user name and password against the Windows Domain. By default, LDAP communications between client and server applications are not encrypted. This means it would be possible to use a network monitoring device or software to view the communications between the PanelView Plus terminal and the Domain Controller. Optionally, a secure link can be established to the Domain Controller using SSL (Secure Socket Layer) on port 636 which encrypts the username and password.
Enterthet IP Address of the DNS server for the facility in which the PanelView Plus terminals are located - Primary DNS and Secondary DNS (if applicable). The DNS server will resolve the name of the domain that the PanelView Plus terminals are authenticating to.
Note: Screenshots are from a PanelView Plus with the 8.10 firmware version, and do not match the 8.00 firmware exactly.
1. From the Configuration Screen, navigate to Terminal Settings-->Networks and
Communications-->Network Connections-->Network Adapters-->Name Servers
2. LDAP configuration has been added to the PanelView Plus terminal, allowing you
to select between LDAP or LDAP over SSL. From the Configuration Screen, navigate
to Terminal Settings-->-Networks and Communications-->LDAP Configuration, and
tap Enter
By default Use Windows and LDAP only authentication is selected. This option
allows backward compatibility domain authentication with Server 2003 style and
newer Server 2008 / 2012 LDAP. In any case SSL (Secured Socket Layer) is not used.
SSL is a method of securing LDAP communications to prevent unauthorized users
from accessing the domain.
Note: This new option will be shown for the latest version 8.10 firmware or later.
3. If you are not using Server 2003 authentication and not using SSL, click the
Authentication Mode button to select Use LDAP only authentication and click the
DNS-Style Domain Name button to open the alphanumeric keypad and enter the
Domain Name.
Note: The default port number for non-SSL LDAP is 389 - no need to change it.
Note: Enter the specific domain path name in which the HMI project's users reside. The
PanelView Plus LDAP authentication only supports one domain. See QA21732 - LDAP
domain authentication in FactoryTalk View Machine Edition version 8.x only supports
one child domain for more information.
4. Reboot the terminal to apply the LDAP settings.
The following instructions show how to configure the terminal to use LDAP over SSL.
1. Click the Authentication Mode button so that Use LDAP over SSL authentication is
selected if LDAP over SSL is desired.
2. Click the Server FQDN button to open the alphanumeric keypad and enter the Fully
Qualified Domain Name - the full computer name of the server hosting the Domain.
Note: The default port number for LDAP over SSL is 636 - no need to change it.
In order to perform SSL authentication, the Domain Certificate from the server must be acquired and imported into the PanelView Plus terminal.
A utility included in FactoryTalk View Machine Edition version 8.00 can be used to obtain this certificate. In order to obtain the correct certificate, this utility must be run from a PC that is connected to the domain you entered on the PanelView Plus terminal - the domain the PanelView Plus terminal is authenticating to. The certificate could also be copied from the domain directly by physically accessing the Domain Controller.
1. To retrieve the certificate, in FactoryTalk View Studio click Tools from the Menu bar
and then select Domain Certificate.
2. Once the utility launches, click Save to save the certificate locally to your PC in the
default location shown. You can save the certificate to another location on your PC by
clicking the browse button, ... and choosing an alternate location.
3. Next, move or copy the certificate to a USB flash drive.
4. Import the certificate onto the PanelView Plus terminal.
1. Open the Certificates applet is found in the PanelView Plus Control Panel.
2. Import the certificate under the Trusted Authorities store
5. Finally, reboot the terminal to apply the LDAP settings.
Logging in with FactoryTalk View ME
In order for the PanelView Plus to authenticate to Windows Linked Users you must use
"domain_name\user_name" in the User Name field. This is how FactoryTalk View ME knows if you want to login with Windows Linked Users vs FactoryTalk Local Users.
It is advisable to enable the Domain name field in the Login button. This will help the operators login easier, as they will not need to keep entering the domain name in the User Name field.
After enabling it, it will look like the screenshot below when the Login button is pressed: