› PLCGurus.NET Live & Interactive Forum › PLC Questions and Answers › Rockwell, Allen-Bradley, Stratix › Authenticating HMI users with MS AD Credentials
- This topic has 0 replies, 1 voice, and was last updated 3 years, 4 months ago by Jim Manley.
- January 15, 2020 at 7:28 pm #15941Jim ManleyModeratorKarma: 262Rank: Jedi
Update: I found a couple of AB articles on this issue but it’s late. I’ll deal with them in the morning.
I have run across a real head scratcher. I am trying to set up my PanelView HMIs and a large format touch screen with an embedded Windows PC running FT View runtime license. See the attached file for the layout.
The PV HMIs, embedded PC and the controller are attached to AB switches and are on the same class C subnet. That network is connected into a Cisco switch which is configured with a VLAN specifically for the controller network (OT VLAN).
I also have a Windows 10 laptop running FT View ME (used for maintaining HMI screens). That laptop is connected to the same switch and OT VLAN. The OT VLAN is connected to the firewall via another switch port.
The firewall is the default route for all the HMIs, embedded PC and the laptop. The firewall has a policy that allows ICMP and all the necessary ports/protocols to pass to the AD server which resides on a separate network.
Using the laptop, I can build and run a .mer file that works exactly like it should. I can log into the “HMI” running on the laptop using my AD credentials.
I used the same file to create a runtime file that I installed on one of the PanelViews. Attempts to authenticate using my AD credentials fail.
I used the same file to create a runtime that I installed on the embedded PC with the runtime license. Attempts to authenticate using my AD credentials fail.
I have Wireshark installed on my laptop so I did a network capture of a successful login using AD creds. I installed Wireshark on the embedded PC and did a network capture. Nothing, nada, zip… The runtime on the embedded PC doesn’t even attempt to communicate with the AD server. I know the communication path is good because I can ping the AD server from the embedded PC and I see the ICMP traffic in Wireshark.
I can’t get a network capture from the PanelViews as I have no way to create a span port on the AB switches (no spare ports on the switches the PanelViews are attached to) but I suspect I’d see the same behavior.
Attachments:You must be logged in to view attached files.
- You must be logged in to reply to this topic.