The following scenarios show how a user will be allowed to negotiate access to a CitectSCADA runtime system in various situations when using Windows groups and CitectSCADA roles.
Local User Login
When authenticating Windows users, if the Role|Group Name does not contain a domain path, then any domain will be used to authenticate. Therefore, specify a domain.
Domain Login
When authenticating Windows users and the Role|Group Name contains a domain name, windows will attempt to authenticate the Windows domain users and user groups. If the domain controllers are unavailable, then cached credentials and Citect group names will be used if available.
Note: Cached credentials are not supported
on the Web Client.
Windows 2000 will only utilize cached credentials if the user is
logged on with SE_TCB_NAME privilege.
Local Client Authentication
When a CitectSCADA Windows login is performed on a Control Client or View-only Client that is part of a domain, the client itself is responsible for authenticating with the domain. The CitectSCADA server only verifies the account exists – it does not perform the authentication.
Remote Client Authentication
When a CitectSCADA Windows login is performed on a remote client that is part of a domain, or a trusted domain, the client itself is responsible for authenticating with the domain. The CitectSCADA server only verifies the account exists – it does not perform the authentication. Essentially this mechanism is the same as a local client authentication.
Web Client Authentication
When a CitectSCADA Windows login is performed on a web client that is not a member of the configured domain, the server is responsible for authenticating the user on the domain. No local Windows authentication occurs on the web client machine. No auto-login can occur in this situation.
Multiple Domain Authentication
When a CitectSCADA Windows login is performed on a Control Client or View-only Client that is part of a domain, the client itself is responsible for authenticating with the domain. When that client has access to CitectSCADA servers on more than one domain, it is possible that the client will only be authenticated on one of the domains.
CtAPI Authentication
In this release CtAPI does not support operations with Windows security.