Using CitectSCADA > Securing Projects > Using CitectSCADA with Windows Security > Scenarios and Usage

Scenarios and Usage

The following scenarios show how a user will be allowed to negotiate access to a CitectSCADA runtime system in various situations when using Windows groups and CitectSCADA roles.

Local User Login

When authenticating Windows users, if the Role|Group Name does not contain a domain path, then any domain will be used to authenticate. Therefore, specify a domain.

Domain Login

When authenticating Windows users and the Role|Group Name contains a domain name, windows will attempt to authenticate the Windows domain users and user groups. If the domain controllers are unavailable, then cached credentials and Citect group names will be used if available.

Note: Cached credentials are not supported on the Web Client.
Windows 2000 will only utilize cached credentials if the user is logged on with SE_TCB_NAME privilege.

Local Client Authentication

When a CitectSCADA Windows login is performed on a Control Client or View-only Client that is part of a domain, the client itself is responsible for authenticating with the domain. The CitectSCADA server only verifies the account exists – it does not perform the authentication.

Remote Client Authentication

When a CitectSCADA Windows login is performed on a remote client that is part of a domain, or a trusted domain, the client itself is responsible for authenticating with the domain. The CitectSCADA server only verifies the account exists – it does not perform the authentication. Essentially this mechanism is the same as a local client authentication.

Web Client Authentication

When a CitectSCADA Windows login is performed on a web client that is not a member of the configured domain, the server is responsible for authenticating the user on the domain. No local Windows authentication occurs on the web client machine. No auto-login can occur in this situation.

Multiple Domain Authentication

When a CitectSCADA Windows login is performed on a Control Client or View-only Client that is part of a domain, the client itself is responsible for authenticating with the domain. When that client has access to CitectSCADA servers on more than one domain, it is possible that the client will only be authenticated on one of the domains.

CtAPI Authentication

In this release CtAPI does not support operations with Windows security.