×

Have You Seen Workflow Lately? Click here to check out all the new features in the latest version.

Supercharge your GE solution! Download a free trial of Proficy Operations Hub, CSense analytics, and more. Learn more about the Proficy 2024 releases, by signing up for one of our upcoming events.

Home
Security
Domain-Based Security
Windows Domain-Based Security
You can use Windows domain user accounts to manage access to and within Workflow. You can also configure domain user accounts for automatic login on either a global basis or for individual computers.
Authenticate Windows Domain Users for Vision Calls
Vision uses a token to make a secure call. For Windows authentication, the Proficy STS service needs to query the domain controller to retrieve groups that the user belongs to. This group information is used to validate the Windows user.

Workflow Products Documentation

Security
- Security Overview
- Users and Groups
- Domain-Based Security
  - Windows Domain-Based Security
    You can use Windows domain user accounts to manage access to and within Workflow. You can also configure domain user accounts for automatic login on either a global basis or for individual computers.
    - Windows Domain Users Logging into Workflow
      If you are using Windows user names and passwords within Workflow security, be aware that Windows user accounts must have the policy Access this computer from the network applied under the local security policy. By default, this policy is assigned to the groups Users and Everyone on the local machine.
    - Authenticate Windows Domain Users for Vision Calls
      Vision uses a token to make a secure call. For Windows authentication, the Proficy STS service needs to query the domain controller to retrieve groups that the user belongs to. This group information is used to validate the Windows user.
    - Password Expiration Considerations
      When Workflow security is synchronized with Windows security, passwords can expire.
    - Configuring Domain-Based Access Control to Workflow Functionality
      You can use active directory universal or global groups to control access to Workflow functionality.
    - Key Sets
      Key sets are groups of permissions, based on areas of operation within your facility, that define the operations a group of users can perform.
    - Login and Logout Capabilities
      Workflow access can be configured in multiple ways. You can configure automatic login and logout on individual computers, on all computers in your system, or on a subset of computers in your system. You can also retain manual login and logout on a global basis or on specific computers.
    - Workflow User Password Security
      Administrator users have the ability to make changes to the security settings in Workflow, including configuring lockout thresholds, re-enabling locked out user accounts, configuring password complexity, and determining whether or not users can change their passwords.

Authenticate Windows Domain Users for Vision Calls

Vision uses a token to make a secure call. For Windows authentication, the Proficy STS service needs to query the domain controller to retrieve groups that the user belongs to. This group information is used to validate the Windows user.

Troubleshooting Windows Authentication

By default, the local system account is used to run the Proficy STS service. In most cases, the local system account can retrieve user group information by querying the domain controller. However, your environment may restrict this local system account from performing this query against the domain controller. In this case, the Windows domain user cannot be validated and no security token can be issued, thereby rejecting the Vision call.

To solve this problem, run the Proficy STS service under a domain user account. This enables this service to query the domain controller.

Note: If this solution fails, assign the domain account to be a member of the local administrator group, and then try again.