Issue
Setting up, using, and troubleshooting Windows Active Directory with Building Operation Workstation and WebStation.
Product Line
EcoStruxure Building Operation
Environment
- Building Operation Enterprise Server
- Building Operation WebStation
- Windows Active Directory
- Windows Server
Cause
When integrating EcoStruxure with Windows Active Directory, NO user accounts need to be created in EcoStruxure, all that needs to be done is map the EcoStruxure User Account Group(s) with the Windows group(s) that will be used.
- You can map Windows Active Directory groups to Building Operation user account groups if Building Operation runs on a network that uses this directory to manage users and user account groups.
- A Building Operation user account group that includes a Windows account group can also be a member of another Building Operation user account group.
- Mapping Windows Active Directory account groups to Building Operation user account groups has advantages both for administrators and operators. Administrators can manage the user accounts in the Windows Active Directory, rather than managing the accounts in two places. Any changes are instantly implemented to the mapped Building Operation user account group. Operations only have to remember the Windows login. Once logged in to a Windows user account that is mapped to a Building Operation account, the user is authenticated to access WorkStation without having to log in a second time.
Note:
- The Building Operation domain used to map the Windows Active Directory user account groups must be a member of the Windows domain where the Active Directory is located.
- Windows Active Directory account groups can only be mapped on servers that are based upon Microsoft Windows operating system. Automation Servers, cannot map Windows Active Directory groups. For example, the Windows Active Directory user account groups Main Admin and Main User are mapped to the Building Operation user account groups Administrators and External Users. The External Users user account group is a member of the Operator user account group. The Administrators account group, which is a member of the External Users, inherits access to the Operation workspace.
- The user will then log into Windows on the PC where the WorkStation is installed. When logging into EcoStruxure Workstation the authentication is automatically done from the Windows user account.
Resolution
NOTE: Active Directory association cannot be achieved using the inbuilt Local Domain
- Create a new EBO Domain and associate it with your active windows Domain.
NOTE:
It is best to only use the Domain (Netbios) name (as shown above) when adding the Windows Domain name to this property. Using the full DNS Domain name, for example, eur.gad.schneider-electric.com will cause issues when utilizing other features that require active directory authentication. One example where this has been identified is with Change Control. - Create an EBO Domain Group within that new Domain and associate it with the Windows Domain Group in which the Windows Active Directory user(s) reside.
- Log in using Windows Username, Password, and Domain rather than EBO credentials. When logged on to the Enterprise Server PC as a Domain User it is also possible to select the "Log on as" box.
See WebHelp:
- How to Create and Configure a Domain
- Conceptual Information on Windows Active Directory User Groups
- How to Create User Account Groups
Troubleshooting Windows Active Directory with Workstation
- Log in Error: Wrong user name or password
- If the EcoStruxure Building Operation Domain has the same name as the Windows Active Directory domain name, it will expect the user account to exist locally in the Building Operation domain.
- Log in Error: "User account not associated with a group. Contact your Administrator."
- Verify that the Windows user is a part of the Windows group configured in the Building Operation Group settings. In order to identify every group that the current windows user belongs to, run the command: whoami /groups
- Once the Windows user has been confirmed as a member of the configured Windows group, try changing the Log On as credentials for the Enterprise Server service. The default user that is used when installed is the "Local System account". The Windows account used to run the Enterprise Server service needs "read access" to all places (e.g. OUs) in the Active Directory where user groups potentially involved in an EBO Windows log-on can be found.
Note: By default, all domain users in an Active Directory have read access to Active Directory "Users and Computers" objects so it is the sites that have restricted this in some way that may face issues. You do not need to use “domain admin” type accounts for this as they are granted way too much authority in general. An account that has read access to sufficient parts of the AD while having only normal local user privileges on the machine where the Enterprise Server is running will suffice.- From the Windows Start menu, launch Computer Management. In Computer Management go to Services and Application > Services.
- Find Building Operation X.X Enterprise Server, select it and Stop the service.
- Right-click on Building Operation X.X Enterprise Server and go to Properties. Select the Log On tab.
- Under Log On as select "This account". Enter a Windows user login that has sufficient Windows rights for the Enterprise Server to log on as.
- Click OK and then start the service again.
- Log in to Workstation again using Active Directory.
Troubleshooting Windows Active Directory with WebStation
From version 1.5.0 and up, using Windows Domain accounts is supported in WebStation. However, the following must be done in order to log in.
- Must use HTTPS.
- Must enter your Windows username and password.
- Must enter the domain as the Windows domain as defined within Building Operation. See below:
An example log-on format is shown below when using the above configuration when using WebStation:
Alternatively, if the following is configured in Building Operation:
WebStation log-on will look as follows:
