Step 6. Enable Automatic Log Ins

Windows authentication can be enabled or disabled whether or not Windows groups have been selected in the Windows Authentication window.

Enable/Disable Windows Authentication

The following steps describe how to enable Windows Authentication in CIMPLICITY, and the options available when you do (Allow Configuration Auto Login, Allow Auto Login, and Advanced runtime settings).
  1. Open the Windows Authentication dialog box.
  2. Select Enable Windows Authentication.
    The following options become available: Allow Configuration Auto Login, Allow Auto Login, and Advanced runtime settings.
    Note: If only Enable Windows Authentication is selected and if the Windows user is a member of a selected group, CIMPLICITY will:
    • Open a CIMPLICITY Login dialog box.
    • Check the Windows/password credentials.
    • Look for the user in the Selected Groups.
    • Give the user CIMPLICITY/Proficy Change Management (PCM) access based on the first group in which the user is found.
  3. Select one of the following configurations:
    Allow Auto Login Allow Configuration Auto Login Description
    Checked Clear

    If the Windows user is a member of a selected group, CIMPLICITY will:

    • Look for the user in the Selected Groups.
    • Automatically log in the user to CIMPLICITY based on the first group in which the user is found.
    • Assign the user the role/resources assigned to that group. Users have to manually log into CIMPLICITY to do configuration if CIMPLICITY Configuration Security is enabled and to manually log into Proficy Change Management (PCM).
    Users have to:
    • Manually log into CIMPLICITY to do configuration if CIMPLICITY Configuration Security is enabled.
    • Manually log into Proficy Change Management
    Checked Checked Users can potentially be automatically logged into:
    • CIMPLICITY configuration.
    • CIMPLICITY runtime.
    • Proficy Change Managements (PCM) projects.
    Clear Checked When Windows Authentication is enabled, Windows Authentication:
    • Reads the current logged in Windows user.
    • Does the following if the user is new to CIMPLICITY/not listed in the project:
      • Prompts the user for a CIMPLICITY valid name/password.
      • Creates a CIMPLICITY user based on the valid name/password.
      • Assigns the user the role/resources assigned to the Windows Authentication group that the user is in.
      • Automatically logs the user into CIMPLICITY based on the first Windows Authentication group in which the user is found.
      • Automatically logs the user into CIMPLICITY based on the first Windows Authnetication group in which the user is found.
    Users are:
    • Automatically logged into CIMPLICITY to do configuration even if CIMPLICITY Configuration Security is enabled.

      A failure message may display for a user who does not have Workbench privileges; a Configuration Login dialog box will open to prompt the user for valid credentials.

      A Valid user can enter either of the following in the Configuration Login dialog box:
      • <domain>/<username>
      • <username>
    • Automatically logged into a Proficy Change Management (PCM) project.
      • The automatic logon applies only to PCM project properties, not to PCM computer properties.
      • An automatic PCM logon can occur based on selections in the Project Properties dialog box>Change Management tab:
        • As soon as the Workbecnh starts up if Logon at Workbench startup is checked.
        • If Prompt for user name and password at logon is not checked.
        • Based on whether or not a username/password that is entered for CIMPLICITY/PCM is valid or invalid.
    Important: Close and reopen the Workbench after Allow Configuration Auto Login is checked.
  4. If you want to specify custom domain and credentials, select Advanced runtime settings.
    You can use this option in the following scenarios:
    • If your CIMPLICITY services are running on a different server without domain privileges, and you want to specify another user that can access the domain.
    • If your CIMPLICITY services are running on a different server, and your LDAP connection is on a different server.
    The other configuration options below Advanced runtime settings are enabled.
  5. Enter the following configurations:
    ConfigurationDescription
    User The user of the domain that you selected.
    Port The Port of the selected domain.

    By default, CIMPLICITY uses the SASL framework for authentication. You can also use the TLS connection for communication security when connecting to LDAP servers. The default port for a TLS connection is 636. However, if you have a different port configured, you can use that. To use the TLS connection, you must configure the WINAUTH_LDAP_SECURITY_MODE global parameter, and set the value as TLS.
    Password The password for the domain user.

Windows Authentication Guidelines

  • When a user:
    • Attempts to log into CIMPLICITY, if the Windows user name/password are not valid or CIMPLICITY does not find the user in any of the groups, the user is denied CIMPLICITY access.
    • Logs into CIMPLICITY for the first time using Windows authentication, that user is automatically added to CIMPLICITY's list of users.
    • Is listed in the CIMPLICITY list, user specifications can be modified the same way as for any other user.
  • When the new Windows Authentication module tries to validate a user with auto log in, If Windows Authentication does not have a valid user/password to use to query the domain controller, it uses the current user that the process is running under.

    On a default installation Windows authentication runs as a system user; depending on how the domain is set up there is a good chance that the system user will not have the ability to query the domain.

    To make sure Windows authentication can query the domain:

  1. Open the Services control panel.
  2. Make the CIMPLICITY HMI service run under a domain account that has privileges to query the domain.