Autologin Configuration Checklist

CIMPLICITY supports Windows Autologin functionality to connect to Proficy Authentication server in a domain-based environment. You can use this topic as a checklist to know how Autologin feature in CIMPLICITY works. For more detailed information on Proficy Authentication, it is recommended that you read the Proficy Authentication help at https://www.ge.com/digital/documentation/uaa/version2023/index.html.

Proficy Authentication works based on Kerberos authentication protocol to authenticate Windows user. Since Kerberos authentication works only in a domain-based environment, to deploy and configure Autologin, you must at least need three nodes to get the Kerberos authentication working. The following image is an example of a typical configuration.
The following table lists the configuration that must be performed to get the Autologin functionality working:
Node Configuration Description
CIMPLICITY Nodes Configure Security Policy
Ensure that correct encryption types are associated to Kerberos authentication is selected.
  1. To access Local Security Policy, enter secpol.msc in Windows Run dialog and select OK.
  2. Navigate to Security Settings > Local Policies > Security Options.
  3. Double-click and open 
    Network security: Configure encryption types allowed for
          Kerberos
    security policy setting.
  4. Select the valid encryption types that you want to use. Ensure that the selection is same across all the nodes.

Encryption types allowed for Kerberos: AES256_HMAC_SHA1

Configure Proficy Authentication on CIMPLICITY server.
Note:
  • Ensure that the fully qualified domain name is specified in Proficy authentication server configuration
  • Ensure that the required security groups are published.
Domain Controller Configure Security Policy
Ensure that correct encryption types are associated to Kerberos authentication is selected.
  1. To access Local Security Policy, enter secpol.msc in Windows Run dialog and select OK.
  2. Navigate to Security Settings > Local Policies > Security Options.
  3. Double-click and open 
    Network security: Configure encryption types allowed for
          Kerberos
    security policy setting.
  4. Select the valid encryption types that you want to use. Ensure that the selection is same across all the nodes.
Create Service Principal Name
Before you begin, ensure that you have performed the following:
  • Created a dummy user account on the Active Directory Server node to represent the Proficy Authentication application in the active directory registry.
  • Configured Security Policy.
To perform this task, you must be an administrator.
  1. Log in to your Active Directory machine.
  2. Open the Windows Command Prompt application.
  3. Run the following command replacing with the appropriate code: setspn -S HTTP/<FQDN> <user account>

<FQDN>- Fully Qualified Domain Name (FQDN) of the server on which Proficy Authentication service is running.

<user account>- Dedicated user account created for Proficy Authentication service.
Generate Keytab File
Before you begin, ensure that you have performed the following:
  • Created Service Principal.
To perform this task, you must be an administrator.
  1. Log in to your system and open the Windows Command Prompt application.
  2. Run the following command replacing with the appropriate code: ktpass -out <filename> -princ HTTP/<service pincipal name> -mapUser <user account> -mapOp set -pass <password> -crypto AES256-SHA1 -pType KRB5_NT_PRINCIPAL
You can do the following to verify if the service principal is mapped to the dummy account, and a keytab is created:
  1. Go to Active Directory Users and Computers > Users.
  2. Access the properties of the user account for which you created the keytab file.
  3. On the Account tab, verify User logon name. is pointing to your service principal name.
Proficy Authentication Server Configure Security Profile
Ensure that correct encryption types are associated to Kerberos authentication is selected.
  1. To access Local Security Policy, enter secpol.msc in Windows Run dialog and select OK.
  2. Navigate to Security Settings > Local Policies > Security Options.
  3. Double-click and open 
    Network security: Configure encryption types allowed for
          Kerberos
    security policy setting.
  4. Select the valid encryption types that you want to use. Ensure that the selection is same across all the nodes.
Configure Proficy Authentication Services
Before you begin, ensure that you have performed the following:
  • Generated keytab file.
  • Copied the keytab file from the Active Directory server, and pasted it anywhere on the Proficy Authentication machine.
  • Noted the keytab file location on the Proficy Authentication machine.
To perform this task, you must be an administrator:
  1. Log in to the computer machine where Proficy Authentication is installed.
  2. Access the uaa.yml file. The file is located at C:\ProgramData\GE\Operations Hub\uaa-config\uaa.yml
  3. To modify, open uaa.yml in any text editor.
  4. Search for kerberos and enter values for the following keys:service-principal and keytab-location
  5. Save and close the modified file.
  6. Restart the GE Proficy Authentication Tomcat Web Server service.
    1. Access the Windows Run dialog.
    2. Enter services.msc to open the Services screen.
    3. Right-click GE Proficy Authentication Tomcat Web Server and select Restart.
Configure LDAP Provider

Add an LDAP provider and make appropriate mappings.

Ensure that the logged in user name can work with user filter specified in Proficy Authentication.