Login with cached domain credentials in the runtime using Active Directory users is not available
Summary
When the option to use Active Directory users is enabled in the project, a login is only successful when one of the domain controllers can be reached. When the domain controller is offline, a login with domain credentials is not possible.
Description
When the option to use Active Directory users is enabled in the project, a login is only successful when one of the domain controllers can be reached. When the domain controller is offline, a login with domain credentials is not possible.
Solution
A new option has been introduced that optionally allows a login of an AD user in the runtime with cached credentials stored locally on the PC by Windows, when the domain controller is not available.
When a zenon user group is specified for the login with cached credentials and a login is performed in the zenon runtime where the information from the user cannot be retrieved from the domain controller, the runtime will still instruct Windows to attempt to login with cached credentials. When the credentials are valid and the login is successful, the user in the runtime will receive the authorization levels of the specific user group that is configured for the login with cached credentials.
It is advisable to define common, low, authorization levels at the user group, that every user should have and is allowed to have, in case of a situation where the domain controller is not available.
In addition, a local emergency zenon user may still be created that allows performing tasks that require additional authorization levels. Such an emergency user could also be engineered in such a manner that the password is dynamic and can only be used once. Or it could also be engineered in a way that an operator needs to provide a key shown on the HMI to an authorized person, who would use a program to derive a one time password.
Information
When a successful login is performed with an active directory user in the runtime, Windows by default stores cached credentials for up to 10 users. Manually or through group policy, this number can be increased but also set to "0", which clears any existing cached credentials and prevents future storage of cached credentials.
There is no other documented mechanism for clearing cached credentials from a PC, than temporarily setting the value to "0" and back to the original value again.
When a domain user is deleted from active directory, cached credentials are not deleted from a machine. Not even after a login attempt with such a user fails with a connection to the domain controller.
When a domain user is disabled in active directory, cached credentials that are stored locally are accordingly updated when a login attempt with such a disabled user is performed.
This however also does not protect against login with a disabled user, when e.g. the network cable is disconnected. Cached credentials that are stored would not have been invalidated yet.
It therefore can be stated, that using the option to login with cached credentials should be carefully considered as it lowers security and may allow login of users that are no longer authorized.
In version 7.50 this optional feature requires a manual entry in a configuration file. In version 7.60 and later, the option can be configured in the project properties.
Issue Number: 36523
Fixed on Date: 5.8.2016
Versions: 7.50 0 BUILD 30617 | 7.60 0 BUILD 36068