Professional Documents
Culture Documents
USERS REMOTE
AUTHENTICATION
THEMA4 OPTION 16
Document Rev. 7
FEDEGARI has made every effort to ensure that the information contained in this manual is accurate and exhaustive. However, it assumes
no responsibility in case of errors or omissions. FEDEGARI reserves itself the right to amend, at any time and without notice, the information
regarding the hardware and software described in this document. FEDEGARI reserves itself the option of amending this manual at any time
without notice.
INTRODUCTION
This document describes the OPTION 16 – Users Remote Authentication for the THEMA4 controller, which
allows to integrate it with Active Directory.
NOTATIONS
In this user manual, these notations are used:
NOTE
for additional note
REFERENCE
for references to other sections
IMPORTANT NOTE
for important note
WARNING!!
for very important note
DOCUMENT SECTIONS
This document is composed of the following sections
1 GENERAL DESCRIPTION
General description of the Remote Authentication feature, which focuses on theory of operation.
2 CONFIGURATION
This section details more practical aspects of the Remote Authentication feature, such as setting up the
integration and troubleshooting.
INDEX
TABLES
Table 1-1 – Remote authentication operations .....................................................................................................12
Table 1-2 – Extract of general login data...............................................................................................................12
Table 1-3 – Login messages .................................................................................................................................14
Table 1-4 – Login data...........................................................................................................................................15
FIGURES
Fig. 1-1 – Remote Authentication architecture ........................................................................................................8
Fig. 1-2 – Software architecture details ...................................................................................................................9
Fig. 2-1 – Selection of “th4login” properties with ADSIEdit ...................................................................................20
Fig. 2-2 – Discovering KVNO of “th4login” ............................................................................................................21
1 GENERAL DESCRIPTION
1.1 - INTRODUCTION
1.1.1 - Authentication protocol
1.2 - INTEGRATION WITH MICROSOFT ACTIVE
DIRECTORY
1.2.1 - Software architecture
1.2.2 - Authorization data
1.3 - ACCESS MANAGEMENT WITH REMOTE
AUTHENTICATION
1.3.1 - Thema4 configuration
1.3.2 - Profile configuration
1.3.3 - Remote authentication operations
1.3.4 - General login data
1.3.5 - Login operation
1.3.6 - Logout operation
1.3.7 - Login data displayed on the Thema4
1.4 - LIMITATIONS FOR REMOTE
AUTHENTICATION
1.4.1 - User ID and password
1.4.2 - Login Management Operations
1.4.3 - Logout
1.4.4 - Audit trail
1.1 INTRODUCTION
Users remote authentication is mainly requested in order to avoid to have more “users local data bases”, to
configure and to maintain.
Using a “users central data base” gives the following benefits:
- all the users data are located in a single data base, (no duplicate data exists);
- all the users information is managed in the same system (central domain control server).
In order to be effective for pharmaceutical systems, “Remote authentication” needs to be implemented, with the
following criteria:
- to use a standard “authentication protocol” for client agents and network services, for secure
authentication in heterogeneous environments;
- to guarantee an highly-secure authentication, (using cryptography and security protocols) to prevents
eavesdropping or replay attacks, and ensures the integrity of the data (with transmission of plain-text
authentication information, there is the threat of password being viewed, while traveling across the
network);
- to implement a system of password management, in compliance with CFR21p11.
STERILIZER ID
(IP ADDRESS)
CENTRAL
REQUEST USER DB
AUTHENTICATION
AUTHENTICATION
ANSWER
USERS DOMAIN
SERVER
GUI GUI
FECPclient FECPclient
a
d
b CENTRAL
USER DB
FECPserver
PCS
Key Distribution
LOCAL
USERS DB
Center
The public name is displayed by the controller and used to register on the audit trail operations performed with
that login.
The residual validity time is a “per session” value and has a completely different meaning than for a “local”
account. This value is the maximum time allowed for a Kerberos session and is reloaded every time a
successful login operation is done.
The expiration date follows rules defined within Active Directory in the KDC and has a meaning similar to the
one defined for “local” logins.
The list of Active Directory groups the user belongs to is used to se up a profile to be used for the work session.
This information is used to understand also if the specific login is allowed to operate on that sterilizer, so it is
possible that the access to the system is refused even if UserID and password provided are correct.
For more details see 1.3.2 - Profile configuration and 1.3.5 - Login operation.
REFERENCE
For a general description of Access Management see chapter 6 of THEMA4 User’s Manual.
IMPORTANT NOTE
The “local” database can’t be disabled totally because it is necessary to grant that at least
an administrator is configured. This allows also to work on the machine when the KDC is
down.
In any case, it is easy to force users to use only “remote” accounts by keeping enabled on
the local database a single administrator which is not known to normal users.
This local login can be used to create local logins in case of need.
In case of “local” logins it is possible to choose on a “per user” basis the profile of the single login. This means
that, even if an account can belong to only one of the four groups defined for the controller (Administrator,
Supervisor, User, Maintenance), the profile of a specific login can be customized at will (except a few
restrictions described in the User’s Manual).
In case of “remote” logins the profile configuration is defined on a “per group” basis. This means that an account
can belong to one of the four groups defined for the controller, but the profile will be the same for all accounts
belonging to the same group. It is possible, indeed, to alter at will the profile of each one of the four groups of
the controller (except a few restrictions described in the User’s Manual) which allows to customize access to the
controller for groups of users.
The profile configuration for “remote” logins is done in Thema4 by associating an Active Directory group to each
group of the controller. This allows a Thema4 to recognize four Active Directory groups and map each one to
one of its internal groups.
By controlling the groups an account belongs to it is possible, within Active Directory, to control the access to a
specific sterilizer.
IMPORTANT NOTE
Starting from software version W39 it is possible to add up to 32 custom groups through
the graphical user interface function “Log-in&Passwords\Log-in data\Profile
Management\Custom Profile”. These groups can be used both for “local” logins and for
“remote” logins.
For “remote” logins this allows to enlarge the total number of groups selectable for remote
authentication to 36 (4 standard groups plus 32 custom groups), giving more options to
differentiate profiles of remote accounts.
If more than a Thema4 is used, it is possible to define four Active Directory groups for each Thema4 allowing an
operator to act, for example, as a User on a sterilizer and as a Supervisor on another sterilizer. It is also
possible to create only four groups, allowing the operator to act, for example, as an user to all sterilizers.
The choice is left to the customer and can be changed at any time acting on Active Directory or and/or on the
controller.
IMPORTANT NOTE
For “local” authentication, all these functions are executed on Thema4.
IMPORTANT NOTE
In “remote” authentication logins are managed on the KDC, so “assigning users to groups”,
“Changing password”, and “First access” and “Display/Printing the configuration of the
active logins” are server operations
“First access” in compliance to CFR21p11: At the first login, the user has to change the password. This
requires to force the user to change password, the first time he attempts to login. Because the “change
password” is possible only on the KDC database, the “first access management” is implemented only on it.
Thema4 will not allow to perform a login using an access code which has not changed the password the first
time.
REFERENCE
For details about General Login data see paragraph 6.5 of THEMA4 User’s Manual.
In case of “remote” logins, only the parameter “inactivity time” is managed on Thema4:
No. Parameter Parameter UM Range Action
7 Inactivity time While an operator has a work session in min 1 - 60 Thema4 automatically closes the
progress, the system counts the "inactivity work session, when the
time", understood as the continuous period of accumulated "inactivity time"
time during which no activity of the operator is reaches the limit programmed
detected. The work session of an operator is
closed automatically by the system, when
the accumulated "inactivity time" reaches the
limit programmed.
Table 1-2 – Extract of general login data
Fedegari S.p.A. D/O#156066.8 - June 2013
Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 13 / 21
10 The clock of this sterilizer is In order to prevent some kind of hacker attacks, the NOT OK
out of sync with the Key authentication will fail if the sterilizer clock has a
Distribution Center. span greater then 5 minutes against the clock of the
KDC.
In this case check:
- check DNS is working properly
- check the timezone parameter within DNS
- check Daylight Saving Time settings
11 Wrong password. A wrong password has been supplied for the login. NOT OK
12 User not found in the remote A wrong User ID has been supplied. NOT OK
database.
13 This user is disabled. The login typed in is correct but it has been disabled NOT OK
into Active Directory. This problem requires action
to be done in the Windows environment.
Table 1-3 – Login messages
IMPORTANT NOTE
In case of Remote Authentication, Thema4 does not manage the messages about remaining
“attempts” before the login suspension and about the number of character of the password
to insert (except for maximum limits).
IMPORTANT NOTE
In case of Remote Authentication, Thema4 will not count the number of wrong access
attempt done with a remote account, this will be managed by the KDC if that function is
available and enabled.
When the KDC accepts User ID and password provided gives a ticket to Thema4, which checks if the account
belongs to one (and only one) of the Active Directory groups defined for the sterilizer. If it belongs to no group or
to too many groups the ticket is discarded and the login refused, otherwise the ticket is kept and the login
operation successful. The ticket received has an expiration date that depends by policies defined on the KDC, it
is common to have a duration of 8 or 10 hours.
It is not possible to force a logout from the KDC: the user will continue to work on Thema4 until the ticket will
expire, then an automatic logout will happen. If the login has been disabled in the KDC the user will not be able
to get a new ticket, so he will not be able to login again.
IMPORTANT NOTE
No logout information is sent to the KDC, so it is not aware if an account is logged in or not.
IMPORTANT NOTE
The functions “Residual Validity Time” and “Expiration Date” in Remote Authentication
operations will be managed on the server if these operations are available and enabled.
In any case, during a session authenticated remotely, Thema4 will not perform any logout
due to these functions.
1.4.3 Logout
A remote login will not be immediately kicked off from the Thema4 system when it is no more enabled in the
KDC. The user will continue to work until a logout happens on Thema4, then he will not be able to login
anymore.
2 CONFIGURATION
2.1 - HOW TO SET UP THE INTEGRATION
2.1.1 - Preliminary requirements
2.1.2 - Preparing the Key Distribution Center
2.1.3 - Preparing the controller
2.2 - TROUBLESHOOTING
2.2.1 - Key version number issue with some versions
of “ktpass”
2.2.2 - Repeating the configuration procedure from
the beginning
1) Create a login named “th4login” with any password, perform the first access and set the password as you
like. This login must not expire or change password.
2) Create a login named “vxtarget” with any password, perform the first access and set the password as you
like. This login must not expire or change password.
3) Create a keytab file by using ktpass.exe (a command line windows application for the server):
This operation creates a mapping between th4login and vxtarget into Microsoft Active Directory database
and produces a file (krb5.keytab) to put into Thema4 controllers
N.B.: If more than one Thema4 controller will be connected to the same KDC only one keytab file
must be generated, then the keytab file must be installed on each Thema4 controller. The keytab
file contains a progressive number so, when a new one is generated, the old one will stop
working. For this reason it is necessary to reinstall the keytab file on each Thema4 every time it is
generated.
4) Create any login and groups you like; groups must be of type “Global/Protection” in order to control
access for the login. It is a good idea to create 4 groups for each Thema4 machine.
5) Run “ldp” tool in the command line to get the short Security Identifier of each group.
Once “ldp” window comes up perform following steps:
a. perform a connection to the server itself;
b. perform a bind (probably administrator level is needed to watch desired data);
c. browse the domain tree until you reach the defined groups;
d. watch details of the group, more precisely the “objectSid” field. It is in the form
S-1-5-21-769278194-3318199905-4160292170-1110;
the number to put in the Thema4 system is the one underlined;
e. get that number for all the groups you are interested in.
IMPORTANT NOTE
To create the keytab file it is necessary to install the Support Tools of the operative system:
a set of tools to help administrators streamline management tasks such as troubleshooting
operating system issues, managing Active Directory®, configuring networking and security
features, and automating application deployment. It is possible to download the Tools by
the Microsoft web site.
Now it is possible to login remotely. Remember that it is necessary to reboot the system every time that the
following “General Login Data” parameters needs to change:
- Key Distribution Center
- Domain name
- DNS server IP address.
2.2 TROUBLESHOOTING
Following step-by-step instructions described in the previous paragraph, allows the integration to work
immediately. This chapter describes some common errors that can be done during the setup, that can prevent
the integration with Active Directory to work correctly.
2.2.1 Key version number issue with some versions of “ktpass”
The keytab file contains a field which identifies the Key Version Number (KVNO) of the th4login account. For
Windows 2000 based KDCs this field is not managed and the KVNO is always zero. For Windows 2003 based
KDCs this field is increased by one every time the password is changed, this means that is also increased by
one every time the “ktpass” tool is run to generate the keytab file.
Some versions of the Windows 2003 server are supplied with a buggy version of the “ktpass” tool, which does
not update the KVNO into the keytab file. This causes to keep having the error message “The keytab file has not
been installed, it is not possible to login remotely”.
In this case it is necessary to provide the correct KVNO to the “ktpass” tool when generating the keytab file. To
do this it is necessary to discover the current KVNO for “th4login” and pass it increased by one to “ktpass”.
2. Search the value of parameter “msDS-KeyVersionNumber” within properties, that’s the current KVNO. In the
example the value is 9.
3. Run ktpass providing the additional parameter KVNO, which equals the value found at step 2, increased by
one.