Issue
The following error can occur when logging into Security Expert using a Remote Client:
Could not log on to Server. Please check your remote connection setup. The server has rejected the client credentials.
Product Line
EcoStruxure Security Expert
Environment
Security Expert Server / Client
Cause
The security policy settings are different between the Server and Client.
When installing the Security Expert Server and Clients, the default security policy is used. This requires that the Windows username and password that the operator has used to log in on a client machine is also a valid user on the computer that is running the Security Expert Server. These security requirements are very favourable for corporate networks and setups where the users and policies are easy to manipulate. For that purpose alone, the Security Expert Server and Client are installed with these settings by default.
All installations are not created equal however and sometimes the Security Expert Server is not located within a domain. In another scenario, the server may be in a domain but the operators need to connect to it from a machine that is not in the domain. In these cases, it has been requested that the security policy in place on a domain or the physical machine is disabled and although this is not recommended practice the security of the system can be maintained using a suitable VPN structure.
This solution should be used with full knowledge that the security of the system will rely on the operator user login name and password as well as the security measures put in place for a client to be able to hit the server with a login request. Protection of the infrastructure to the connection is beyond the scope of this document.
Resolution
The easiest solution would be to put the Client machine(s) in the same Domain as the Server. However if this is not possible or if no Domain is used then you can still manually update the security policy instead.
The following process is a manual edit of the XML configuration files
- SecurityExpert.exe.config
- SecurityExpertSV.exe.config
Both of these files are located in the .\Program Files\Schneider Electric\Security Expert directory on the Client and Server. It is recommended then to backup these two files prior to performing this task.
- Close all Security Expert clients and stop the Security Expert Data Service.
- We are first going to update the Security Expert Client configuration file SecurityExpert.exe.config on the client machine. If using more than one Client, the change must be done for ALL clients
- Open Notepad as the administrator, browse to the specified location making sure the 'all files option' is selected. Then open SecurityExpert.exe.config
(Be aware that it may not have the file extension showing and will be called an XML Configuration file by default) - Locate the netTcpBinding tag . Nested within this tag is the binding tag
Ensure that you insert the below text after the opening binding tag and before the closing \binding tag . If you insert the text outside this tag, the application will fail to run.
"<security mode ="None"></security>" - IMPORTANT You must ensure you enter "None" with a capital "N" (not lower case). Ensure you copy input text exactly as shown. Now save the file. If you get a write error then you need to open notepad as the administrator.
- Repeat the process for the Security Expert Server configuration file SecurityExpertSV.exe.config which is located in the same directory on the server machine.
Again, make sure the line is inserted after the opening tag and before the closing tag or the application will fail to run when you save the changes. - Restart the Security Expert Data Service and test the connection settings.
