Authentication Models

After getting myself locked out of my own system, I am trying to be more careful.

Is it possible to have part of the system use Internal name/password, say the gateway admin.

Then have programmers use AD/Internal hybrid? and clients use AD/Internal hybrid?

At this point I have defined additional roles beyond those internal roles that came default.

I have Administrator_AD, Programmer_AD, and Client_AD.

On the Gateway Config page, I have added a comma to the existing roles and added the roles above in the proper places.

I have moved one of the Programmer logins to test.

Am I barking up the wrong tree? If so, how should I do this?

I don’t want Admin to depend on AD, but I want the rest of the users to be authenticated by AD.

Thanks

Dennis

What I like to do is chain authentication profiles together using the fail over setting. That way you can have an internal profile for admin users and an AD one for everyone else. Your AD one can fail over to the internal one. Remember the Ignition Gateway can have a separate authentication profile than the projects. Hope this helps.

Thanks, Travis.

I had to scramble a little to get back into the machine. It is a virtual 64 bit Linux box.

I had to install the vSphere Client to be able to talk to the console of the machine.

Getting gcu.sh to execute properly was a problem at first.

I/S has things setup where to run root level stuff I have to run

sudo sudosh

This logs all that I do. Breadcrumbs for security…

The proper environment variables were not being passed when using the above. It didn’t know what Xterminal profile to use.

Finally I was able to start gcu.sh from terminal.

I wanted to create a launcher but that would not work.

The command that launcher needed was:

nohup /usr/bin/sudo /usr/local/bin/ignition/gcu.sh &

Now there is a launcher on my linux desktop that will start gcu.

I hope this helps someone else.

Dennis

I can’t get AD Authentication to work.

I have things set the way I/S said to set them.

I have the hybrid profile doing a soft failover to internal (default) so I am not locking myself out of the system.

What do I need to look at to see why it is failing?

Thanks

Dennis

The Ignition Gateway configuration console may give you an error message about the problem. You need to make sure the domain name and domain controller IP address are correct. You can test the profile using the test link below the authentication profiles.

I tested using the link. The login and password for the hybrid profile worked.

When I log out and try to log back in with it, it is rejected.

The gateway is set as default, with roles Administrator and Administrator_AD, which is the hybrid.

Do I need to set the gateway as hybrid?

I’ll give that a shot.

Dennis

That was it. Setting the Gateway to hybrid lets the AD password work and the creds under default also work, because of failover.

Thanks.

I just love this stuff!

Dennis

[quote=“DennisWomack”]I tested using the link. The login and password for the hybrid profile worked.

When I log out and try to log back in with it, it is rejected.

The gateway is set as default, with roles Administrator and Administrator_AD, which is the hybrid.

Do I need to set the gateway as hybrid?

I’ll give that a shot.

Dennis

If testing the profile works then you just need to switch the Gateway authentication profile or the project authentication profile to match.

Travis how would you suggest handling a SuperProgrammer that needs to program and add devices, but should not have complete Admin rights?

Thanks

Dennis

Ignition is not setup for that kind of access. We lock down the designer and the gateway configuration section separately. But once you have access to the Ignition Gateway you can do anything.

I downloaded the 7.2.3 beta2 and installed it on a Windows Server 2008.

I am using it as the programmer configurable OPC-UA server, allowing them rights to add devices.

I download the Panel Edition CD-Key and got got it authorized.

I deleted modules that were still in demo mode.

Things are working, but there are some issues with the beta you need to know about.

As I was working, adding my devices, on occasion it would go to a web page saying Internal Error with a link to return to the main screen.

This happened at least 50 times, sometimes in succession, and sometimes not. Is there a memory leak or garbage collection problem?

The error was never fatal.

I have been having some Ignition faults, requiring stopping and restarting the main Gateway. This is the one running on 64 bit linux with 64 bit java. What should I look for to diagnose the faults?

Thanks,

Dennis

Can you post the wrapper.log so we can see what the problem is?

You mean from the main gateway that was faulting?

I am at home now. I grab it tomorrow at work and forward ti to you.

I really appreciate all the help.

Dennis

Files have been emailed to you.

Dennis