Active directory : connection to server is established but impossible to login in mappview application

Ask Questions HMI & Visualization
,
1

Hello everyone,

I need help about starting Active Directory and mappview login.
Connection with the factory is properly established : using the function HostByName I manage to control IP address which is correct.

The when I try to authenticate on mappview (using MappUserX Local and Central) :

  • With local user it’s working good
  • With AD user I have these errors :
    –> Login with mappview visualization write in logger : -1061091324
    –> Using function bloc MpUserXLogin(fb) : -1064144849, mpUSERX_ERR_NO_SERVER_CONNECTION

The server is a Windows 2019, TLS 1.2 working in LDAP on port 389 (no certificate needed). The PLC is synchronized as NTP client with the server.

Here are informations about the server and how it’s fill in BnR project :

IP DNS : 10.103.20.2 | 10.103.20.3

FQDN : pdc-ami-01.amidomindus.net | pdc-ami-02.amidomindus.net
**
Base DN :** DC=amidomundus,DC=net

Port LDAP : 389

**
Groups :**

Group Level
GR_CONDI_STO_OPE 1
GR_CONDI_STO_RESP 2
GR_CONDI_STO_MAINT 3
GR_CONDI_STO_ADM 4

Service account LDAP : svc_ldap
CN=SVC_LDAP,OU=Comptes de services,OU=\#Comptes,DC=amidomindus,DC=net

Attributes : sAMAccountName

User group structure : CN=GR_CONDI_STO_ADM,OU=STO,OU=APPS,OU=\#GROUPS,DC=amidomindus,DC=ne

image
image1064×1176 62.5 KB

Where should I fill Service account LDAP in the mappUserX structure ?

Any idea of what’s wrong in the configuration? The server sees the authentication request but sends back “incomplete”.

Thank you for reading,

Emilie

1 Like
2

Which version of mapp Services are you using? According to your screenshot you use 5.x?
In this case, please notice: mapp Service 5.x does not support unsecured LDAP - only secured LDAP”s”.

You either need to switch your AD server to LDAPs - or use the latest mapp Service 6.x version, which supports (almost) all flavours of LDAP communication, including unencrypted communication.

CHH

1 Like
3

image
image917×1247 67 KB

I am using mapp Services 5.24.5 with Automation Studio 4.12.

I cannot change the AD configuration, it’s customer site.

4

ok, in this case you need to switch to 6.x ….

Sorry, this function is not available in 5.x

CHH

1 Like
5

What should I ask my customer to change his AD in LDAPS using port 636 ?

Do I have to add an SSLConfiguration in my project for AD connection ?

6

Hi @Emilie_Cibien, yes, the Active Directory should be changed to LDAPS using port 636. And no, you just need to import the root authority certificate of the server (with file extension “.pem”, “.cer” or “.crt”) in AccessAndSecurity > CertificateStore > ThirdPartyCertificates > SoftwareCertificates.

image
image357×512 74.6 KB

You then just need to set the Port and Certificate in the MpUserX configuration.
image
image496×202 36.4 KB

Please see the Use Case in the Help for setting up Active Directory user management in mapp UserX for a step-by-step setup guide: B&R Online Help

Also, keep in mind that for mapp UserX Centralized User Management via Active Directory requires the use of either (1) the User Principal Name (UPN), e.g. user1@domain-name.com, or (2) the Security Account Manager (SAM) name, e.g. DOMAIN/user1.
image
B&R Online Help

2 Likes
7

Thanks for your feedback.

Here is the status :

  • Project and AD are changed to LDAPS port 636, connection is established.
  • Certificate of the server was properly generated by IT department of the factory.
  • Certificate have the same name in the project and on the server.
  • We are using SAMAccountName on the server.
  • Mappview is using mappUserX to authenticate.
  • MpServer librarie is added in the project.
  • Timeclock is synchronized with NTP server of the factory.
  • There is nothing running on the project only AD and the login widget.

I still have error when I try to login on mappview using Active directory account –> BnR logger : Error establishing the connection to MpUserX. -1061091324

If I try to login using local user, it’s working well.

image
image635×218 3.67 KB

The AD sees incomplete request from the application meaning that communication is properly established but something is missing.

Should I fill somewhere as DN base the path to look for users in the AD ? How can I get additionnal informations about diagnostic ? Can it be the size of the frame ? How can I see what is sent to AD ? Can I configure project using only fixed IP address from the server ? (FYI I tried with DHCP and I same error).

Thanks,

Emilie

8

Hi Emilie, the error -1061091324 has the following Cause and Solution according to the Help:

image
image675×386 5.62 KB

Please make sure that Authentication Mode is set to “MpUserX”.

image
image884×253 21.8 KB

Also make sure that OPC-UA System is set to “on” in your PLC configuration.

image
image604×299 13.5 KB

A few other notes:

  • As mentioned before, make sure when you are logging in that you are adding the domain with a backslash before the username, e.g. “DOMAIN\user”.
  • I saw that for the “Host”, you are using “PDC-AMI-01.amidomindus.net”.
    image
    image661×150 28.3 KB

    For the B&R PLC to be able to resolve the IP address for that domain name, it would need to have access to a DNS server. Do you have DNS servers configured in the CPU configuration?
    image
    image886×498 27.7 KB

    Alternatively, it may be simpler to switch your MpUserX Active Directory Host to be using a direct IP address (e.g. 40.50.60.70) instead of a domain name to ensure that you are not having any DNS related issues.
9

HI @Emilie_Cibien , what is the status of your topic, can you update us?

10

Closed due to inactivity, @Emilie_Cibien you can still update us with your findings.