Thema4 control system – USERS REMOTE AUTHENTICATION Page 1 / 21

THEMA4 CONTROL SYSTEM

USERS REMOTE
AUTHENTICATION
THEMA4 OPTION 16
Document Rev. 7

FEDEGARI AUTOCLAVI S.P.A.

S.S. 235 km.8 - 27010 Albuzzano (PV) - ITALY
 +39 0382 434111  +39 0382 434150  http://www.fedegari.com

Fedegari S.p.A. D/O#156066.8 - July 2012

Thema4 control system – USERS REMOTE AUTHENTICATION Page 2 / 21

DOCUMENT REVISION LIST

7 17/06/2013 ABR MGH 156066.8

Updated subsection 2.1.3
6 25/07/2012 RDB MGH 156066.7
Updated subsection 2.1.3
5 17/02/2012 RDB MGH 156066.6
Document new format. No change of
contents
4 23/12/2008 ABR MGH 156066.5 General revision of the document, added
more error messages and troubleshooting
section
3 29/07/2008 OLK MGH 156066.4 Document form revision
2 12/05/2007 ABR MGH 156066.3 Updated with configuration instructions for
TH4
1 07/02/2007 ABR MGH 156066.2 Updated after meeting dated 06/02/07
0 18/12/2006 MGH MGH 156066.1 First emission
Revision Date Author Approver Document Revision Subject
Nr. (dd/mm/yyyy) Code code Code

FEDEGARI has made every effort to ensure that the information contained in this manual is accurate and exhaustive. However, it assumes
no responsibility in case of errors or omissions. FEDEGARI reserves itself the right to amend, at any time and without notice, the information
regarding the hardware and software described in this document. FEDEGARI reserves itself the option of amending this manual at any time
without notice.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION Page 3 / 21

Document modifications history

Revision 4 Derived from “THEMA4 OPTION 16 – THEMA4 CONTROL SYSTEM – Users Remote
Authentication” D/O#156066.4 with the following changes:
- General revision of the document, with reorganization of contents
Paragraph 1.3.5 Added more messages to the table
Section 2 Added paragraph about troubleshooting
Revision 5 - -
Revision 6 Paragraph 2.1.3 Add case of configuration menu for sw version W30 and next
Revision 7 Paragraph 1.3.2 Added note about custom profiles, starting from W39
Paragraph 2.1.3 Added an instruction on step 3 for W39

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION Page 4 / 21

INTRODUCTION
This document describes the OPTION 16 – Users Remote Authentication for the THEMA4 controller, which
allows to integrate it with Active Directory.

NOTATIONS
In this user manual, these notations are used:

NOTE
for additional note

REFERENCE
for references to other sections

IMPORTANT NOTE
for important note

WARNING!!
for very important note

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION Page 5 / 21

DOCUMENT SECTIONS
This document is composed of the following sections

1 GENERAL DESCRIPTION
General description of the Remote Authentication feature, which focuses on theory of operation.

2 CONFIGURATION
This section details more practical aspects of the Remote Authentication feature, such as setting up the
integration and troubleshooting.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION Page 6 / 21

INDEX

1 GENERAL DESCRIPTION .............................................................................................................................7

1.1 INTRODUCTION....................................................................................................................................8
1.1.1 Authentication protocol ..................................................................................................................8
1.2 INTEGRATION WITH MICROSOFT ACTIVE DIRECTORY .................................................................9
1.2.1 Software architecture.....................................................................................................................9
1.2.2 Authorization data........................................................................................................................10
1.3 ACCESS MANAGEMENT WITH REMOTE AUTHENTICATION ........................................................11
1.3.1 Thema4 configuration..................................................................................................................11
1.3.2 Profile configuration.....................................................................................................................11
1.3.3 Remote authentication operations...............................................................................................12
1.3.4 General login data .......................................................................................................................12
1.3.5 Login operation ............................................................................................................................13
1.3.6 Logout operation..........................................................................................................................14
1.3.7 Login data displayed on the Thema4 ..........................................................................................14
1.4 LIMITATIONS FOR REMOTE AUTHENTICATION.............................................................................16
1.4.1 User ID and password .................................................................................................................16
1.4.2 Login Management Operations ...................................................................................................16
1.4.3 Logout..........................................................................................................................................16
1.4.4 Audit trail......................................................................................................................................16
2 CONFIGURATION........................................................................................................................................17
2.1 HOW TO SET UP THE INTEGRATION...............................................................................................18
2.1.1 Preliminary requirements.............................................................................................................18
2.1.2 Preparing the Key Distribution Center.........................................................................................18
2.1.3 Preparing the controller ...............................................................................................................19
2.2 TROUBLESHOOTING .........................................................................................................................20
2.2.1 Key version number issue with some versions of “ktpass” .........................................................20
2.2.2 Repeating the configuration procedure from the beginning ........................................................21

TABLES
Table 1-1 – Remote authentication operations .....................................................................................................12
Table 1-2 – Extract of general login data...............................................................................................................12
Table 1-3 – Login messages .................................................................................................................................14
Table 1-4 – Login data...........................................................................................................................................15

FIGURES
Fig. 1-1 – Remote Authentication architecture ........................................................................................................8
Fig. 1-2 – Software architecture details ...................................................................................................................9
Fig. 2-1 – Selection of “th4login” properties with ADSIEdit ...................................................................................20
Fig. 2-2 – Discovering KVNO of “th4login” ............................................................................................................21

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 7 / 21

Section 1 THEMA4 CONTROL SYSTEM

1 GENERAL DESCRIPTION
1.1 - INTRODUCTION
1.1.1 - Authentication protocol
1.2 - INTEGRATION WITH MICROSOFT ACTIVE
DIRECTORY
1.2.1 - Software architecture
1.2.2 - Authorization data
1.3 - ACCESS MANAGEMENT WITH REMOTE
AUTHENTICATION
1.3.1 - Thema4 configuration
1.3.2 - Profile configuration
1.3.3 - Remote authentication operations
1.3.4 - General login data
1.3.5 - Login operation
1.3.6 - Logout operation
1.3.7 - Login data displayed on the Thema4
1.4 - LIMITATIONS FOR REMOTE
AUTHENTICATION
1.4.1 - User ID and password
1.4.2 - Login Management Operations
1.4.3 - Logout
1.4.4 - Audit trail

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 8 / 21

1.1 INTRODUCTION
Users remote authentication is mainly requested in order to avoid to have more “users local data bases”, to
configure and to maintain.
Using a “users central data base” gives the following benefits:
- all the users data are located in a single data base, (no duplicate data exists);
- all the users information is managed in the same system (central domain control server).

In order to be effective for pharmaceutical systems, “Remote authentication” needs to be implemented, with the
following criteria:
- to use a standard “authentication protocol” for client agents and network services, for secure
authentication in heterogeneous environments;
- to guarantee an highly-secure authentication, (using cryptography and security protocols) to prevents
eavesdropping or replay attacks, and ensures the integrity of the data (with transmission of plain-text
authentication information, there is the threat of password being viewed, while traveling across the
network);
- to implement a system of password management, in compliance with CFR21p11.

LOCAL LOCAL LOCAL

USERS DB USERS DB USERS DB

THEMA4 THEMA4 THEMA4

STERILIZER ID
(IP ADDRESS)

CENTRAL
REQUEST USER DB
AUTHENTICATION

AUTHENTICATION
ANSWER
USERS DOMAIN
SERVER

Fig. 1-1 – Remote Authentication architecture

1.1.1 Authentication protocol

Thema4 remote authentication is based on AuthAgent Kerberos, that is an embedded implementation of the
Kerberos V authentication protocol (RFC 1510) for client agents and network services, running on embedded
platforms.
Being fully interoperable with Unix® Kerberos Key Distribution Centers (KDCs) and Microsoft® Active
Directory Services in Windows® servers, it allows an highly-secure authentication in heterogeneous
environments.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 9 / 21

1.2 INTEGRATION WITH MICROSOFT ACTIVE DIRECTORY

Kerberos protocol manages only authentication for a login, while authorization depends on the Operating
System running on the server. In the case of integration with Microsoft Active Directory these information are
contained in the Privilege Access Certificate (PAC), which is retrieved by Thema4 through the Kerberos
protocol.
This section explains details about integration with Microsoft Active Directory, which is identified in the
document as KDC (Key Distribution Center).

1.2.1 Software architecture

The following figure explains how a “local” or “remote” login operation works, and the interaction between
Thema4 software components and a Windows based Key Distribution Centers.

Remote GUI Primary

GUI GUI

FECPclient FECPclient
a

d
b CENTRAL
USER DB
FECPserver

PCS

Key Distribution
LOCAL
USERS DB
Center

Fig. 1-2 – Software architecture details

If the login operation is local:

a. a GUI sends to PCS login request (FECP protocol);
d. PCS searches its internal database then sends back to the GUI information necessary to configure itself
(FECP protocol).

If the login operation is remote:

a. a GUI sends to PCS login request (FECP protocol);
b. PCS contacts the key distribution center (Kerberos protocol);
c. the Key Distribution Center sends back a ticket with authorization data (PAC) in it (Kerberos protocol);
d. PCS decodes PAC and sends back to the GUI information necessary to configure itself (FECP
protocol).

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 10 / 21

1.2.2 Authorization data

If the authentication is successful, Windows operating system puts into the ticket the Privilege Access Certificate
(PAC), which is encoded and signed (so it can’t be tampered) and contains information about the user.
Thema4 extracts from this data:
- public name;
- residual validity time;
- expiration date;
- list of Active Directory groups the user belongs to.

The public name is displayed by the controller and used to register on the audit trail operations performed with
that login.
The residual validity time is a “per session” value and has a completely different meaning than for a “local”
account. This value is the maximum time allowed for a Kerberos session and is reloaded every time a
successful login operation is done.
The expiration date follows rules defined within Active Directory in the KDC and has a meaning similar to the
one defined for “local” logins.
The list of Active Directory groups the user belongs to is used to se up a profile to be used for the work session.
This information is used to understand also if the specific login is allowed to operate on that sterilizer, so it is
possible that the access to the system is refused even if UserID and password provided are correct.
For more details see 1.3.2 - Profile configuration and 1.3.5 - Login operation.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 11 / 21

1.3 ACCESS MANAGEMENT WITH REMOTE AUTHENTICATION

This paragraph describes how Access Management changes when using “remote” authentication instead of
“local” authentication.

REFERENCE
For a general description of Access Management see chapter 6 of THEMA4 User’s Manual.

1.3.1 Thema4 configuration

Thema4 configuration, from the point of view of “remote” login management, is at two levels: Factory setting and
User setting.
If the Remote authentication is not enabled at Factory level it is possible to operate only with “local” logins,
otherwise it is possible to enable “remote” logins acting on General login data.
If “remote” logins are enabled it is still possible to choose at login time if to try a “local” login or a “remote” login.

IMPORTANT NOTE
The “local” database can’t be disabled totally because it is necessary to grant that at least
an administrator is configured. This allows also to work on the machine when the KDC is
down.
In any case, it is easy to force users to use only “remote” accounts by keeping enabled on
the local database a single administrator which is not known to normal users.
This local login can be used to create local logins in case of need.

Details about Thema4 configuration are described in section 2 of this document.

1.3.2 Profile configuration

After a successful login and for the whole “work session”, an operator has only access to the operations allowed
by his profile.

In case of “local” logins it is possible to choose on a “per user” basis the profile of the single login. This means
that, even if an account can belong to only one of the four groups defined for the controller (Administrator,
Supervisor, User, Maintenance), the profile of a specific login can be customized at will (except a few
restrictions described in the User’s Manual).

In case of “remote” logins the profile configuration is defined on a “per group” basis. This means that an account
can belong to one of the four groups defined for the controller, but the profile will be the same for all accounts
belonging to the same group. It is possible, indeed, to alter at will the profile of each one of the four groups of
the controller (except a few restrictions described in the User’s Manual) which allows to customize access to the
controller for groups of users.
The profile configuration for “remote” logins is done in Thema4 by associating an Active Directory group to each
group of the controller. This allows a Thema4 to recognize four Active Directory groups and map each one to
one of its internal groups.
By controlling the groups an account belongs to it is possible, within Active Directory, to control the access to a
specific sterilizer.

IMPORTANT NOTE
Starting from software version W39 it is possible to add up to 32 custom groups through
the graphical user interface function “Log-in&Passwords\Log-in data\Profile
Management\Custom Profile”. These groups can be used both for “local” logins and for
“remote” logins.
For “remote” logins this allows to enlarge the total number of groups selectable for remote
authentication to 36 (4 standard groups plus 32 custom groups), giving more options to
differentiate profiles of remote accounts.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 12 / 21

If more than a Thema4 is used, it is possible to define four Active Directory groups for each Thema4 allowing an
operator to act, for example, as a User on a sterilizer and as a Supervisor on another sterilizer. It is also
possible to create only four groups, allowing the operator to act, for example, as an user to all sterilizers.
The choice is left to the customer and can be changed at any time acting on Active Directory or and/or on the
controller.

Details about Thema4 configuration are described in section 2 of this document.

1.3.3 Remote authentication operations

The following table lists operations related to the access management, clarifying which are executed on the
Thema4 and which are executed on the KDC, when Remote Authentication is enabled.

N° FUNCTION Thema4 KDC

1 Accessing the system and starting a work session (“Login”) X
2 Closing a work session (“Logout”) X
3 Managing access codes: assigning users to groups X
4 “First access” management X
5 Changing passwords X
6 Display/Printing the configuration of the active logins X
7 MASTER session with write access X
Table 1-1 – Remote authentication operations

IMPORTANT NOTE
For “local” authentication, all these functions are executed on Thema4.

IMPORTANT NOTE
In “remote” authentication logins are managed on the KDC, so “assigning users to groups”,
“Changing password”, and “First access” and “Display/Printing the configuration of the
active logins” are server operations
“First access” in compliance to CFR21p11: At the first login, the user has to change the password. This
requires to force the user to change password, the first time he attempts to login. Because the “change
password” is possible only on the KDC database, the “first access management” is implemented only on it.
Thema4 will not allow to perform a login using an access code which has not changed the password the first
time.

1.3.4 General login data

General login data allows to control several aspects about accessing to the controller.

REFERENCE
For details about General Login data see paragraph 6.5 of THEMA4 User’s Manual.

In case of “remote” logins, only the parameter “inactivity time” is managed on Thema4:
No. Parameter Parameter UM Range Action
7 Inactivity time While an operator has a work session in min 1 - 60 Thema4 automatically closes the
progress, the system counts the "inactivity work session, when the
time", understood as the continuous period of accumulated "inactivity time"
time during which no activity of the operator is reaches the limit programmed
detected. The work session of an operator is
closed automatically by the system, when
the accumulated "inactivity time" reaches the
limit programmed.
Table 1-2 – Extract of general login data
Fedegari S.p.A. D/O#156066.8 - June 2013
Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 13 / 21

1.3.5 Login operation

If Remote Authentication is enabled, it is possible to choose in the login page if the User ID and password
provided apply to a “local” login or to a “remote” login.
In case of a “remote” login, if the access data are entered incorrectly or an error occurs, one of the following
warning messages is displayed and must be "acknowledged".

No. Message Description LOGIN

AUTHENTICATION
(by KDC)
1 Access to the Group USER-ID and Password are correct for that client, OK
functions the integration is setup correctly and the network is
working properly
2 Please enter the password Password field is empty -
before log-in
3 Please enter the USER-ID USER-ID field is empty -
before login
4 The Key Distribution Center This error is raised when the controller is not able to NO ANSWER
is not responding, it can be contact the key distribution center. FROM SERVER
down or misconfigured. This can be caused by:
- wrong connection parameters (DNS server IP
address, KDC name, domain, controller’s IP
address, controller’s gateway, controller’s
subnet mask);
- a network problem (KDC disconnected, faulty
cabling).
5 The login has expired or the The login typed in is correct but it has expired or the NOT OK
first access has not been first access has not been performed. This problem
performed. requires action to be done in the Windows
environment (change password, rienable the login,
perform first access…).
6 The login does not belong to The login typed in is correct, but none of the Active OK
a group defined for this Directory groups the login belongs to, matches
sterilizer. groups defined for this sterilizer. Check the
association between Thema4 groups and Active
Directory groups in the controller and Active
Directory groups for that login into Active Directory.
7 The login belongs to more The login typed in is correct, but more than one OK
than a group defined for this Active Directory groups the login belongs to,
sterilizer. matches groups defined for this sterilizer. Check the
association between Thema4 groups and Active
Directory groups in the controller and Active
Directory groups for that login into Active Directory.
8 The keytab file has not been The controller is not able to find a correct match for NOT OK
installed, it is not possible to the “th4login” service into Active Directory. The
login remotely. reason can be one of the following:
- the keytab file has not been installed in the
controller
- the keytab file in the controller is not updated
- the keytab file generated has a wrong key
version number (see 2.2.1 - Key version number
issue with some versions of “ktpass”)
- th4login or vxtarget login expired
- the password for th4login or vxtarget has been
changed
9 The Privilege Access The controller is not able to decode the Privilege NOT OK
Certificate received from Key Access Certificate. This means that an incompatible
Distribution Center has an Windows version is in use, please contact Fedegari.
unknown format.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 14 / 21

10 The clock of this sterilizer is In order to prevent some kind of hacker attacks, the NOT OK
out of sync with the Key authentication will fail if the sterilizer clock has a
Distribution Center. span greater then 5 minutes against the clock of the
KDC.
In this case check:
- check DNS is working properly
- check the timezone parameter within DNS
- check Daylight Saving Time settings
11 Wrong password. A wrong password has been supplied for the login. NOT OK
12 User not found in the remote A wrong User ID has been supplied. NOT OK
database.
13 This user is disabled. The login typed in is correct but it has been disabled NOT OK
into Active Directory. This problem requires action
to be done in the Windows environment.
Table 1-3 – Login messages

IMPORTANT NOTE
In case of Remote Authentication, Thema4 does not manage the messages about remaining
“attempts” before the login suspension and about the number of character of the password
to insert (except for maximum limits).

IMPORTANT NOTE
In case of Remote Authentication, Thema4 will not count the number of wrong access
attempt done with a remote account, this will be managed by the KDC if that function is
available and enabled.

When the KDC accepts User ID and password provided gives a ticket to Thema4, which checks if the account
belongs to one (and only one) of the Active Directory groups defined for the sterilizer. If it belongs to no group or
to too many groups the ticket is discarded and the login refused, otherwise the ticket is kept and the login
operation successful. The ticket received has an expiration date that depends by policies defined on the KDC, it
is common to have a duration of 8 or 10 hours.

1.3.6 Logout operation

When a logout operation is performed Thema4 throws away the ticket received during the login operation and,
when a new login operation is performed, asks for a new ticket.

It is not possible to force a logout from the KDC: the user will continue to work on Thema4 until the ticket will
expire, then an automatic logout will happen. If the login has been disabled in the KDC the user will not be able
to get a new ticket, so he will not be able to login again.

A logout will be performed in following conditions:

a) when the user ends his login session, by means of the logout button;
b) when the user ends THEMA4 program, by means of the shutdown button;
c) when there is the expiration of the "Inactivity time", which (if used) is managed by Thema4;
d) when the ticket expires (this can be controlled within Active Directory).

IMPORTANT NOTE
No logout information is sent to the KDC, so it is not aware if an account is logged in or not.

1.3.7 Login data displayed on the Thema4

Thema4 displays information about accounts connected to the system in some GUI areas (such as the status
bar, the Machine State page and the Log-in Status page) and into files (Process Report, Audit Trail). The
following table shows information displayed for “remote” accounts and the role of the KDC:

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 15 / 21

N° Data Thema4 KDC

1 User “public name”
2 User “residual validity time”
3 User “expiration date”
4 Inactivity time
5 List of the users connected on The client displays the Public
all the HMIs of the
EQUIPMENT, (with the
information about the MASTER
session)
Displayed in the “status bar”
and written into the reports
and Audit Trail
Displayed in the status bar and
decreased every minute
Displayed in the status bar
Not displayed explicitly, when
the countdown approaches 30
seconds left a warning is
displayed
name of the users connected
on the different client HMI,
both if they are “local” or
“remote”
Table 1-4 – Login data
Managed into the KDC and sent to
the client during the login operation.
Managed into the KDC and sent to
the client during the login operation.
Managed into the KDC and sent to
the client during the login operation.
The KDC is not aware and does not
control this parameter which is
defined within general login data of
the controller
The KDC is not aware of accounts
logged into a Thema4

IMPORTANT NOTE
The functions “Residual Validity Time” and “Expiration Date” in Remote Authentication
operations will be managed on the server if these operations are available and enabled.
In any case, during a session authenticated remotely, Thema4 will not perform any logout
due to these functions.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 1 Page 16 / 21

1.4 LIMITATIONS FOR REMOTE AUTHENTICATION

Due to Kerberos protocol characteristics there are some limitations that apply when remote authentication is
selected. These limitations do not apply for local login operations.

1.4.1 User ID and password

Thema4 limits the User ID that can be typed into the login page to 11 characters, so it will not be possible to
login remotely into Thema4 with an account that has a longer User ID.
Similarly, Thema4 limits the password that can be typed into the login page to 19 characters, so it will not be
possible to login remotely into Thema4 with an account that has a longer password.

1.4.2 Login Management Operations

When the system is operated with remote authentication the compliance to CFR21 part 11 is subject to the
compliance to CFR21 part 11 of the Server system.
By the moment that remote logins will be managed only by the server, this will have in charge operations on
these logins such as: create, suspend, remove, rienable, change password and first password management.

1.4.3 Logout
A remote login will not be immediately kicked off from the Thema4 system when it is no more enabled in the
KDC. The user will continue to work until a logout happens on Thema4, then he will not be able to login
anymore.

1.4.4 Audit trail

By the moment that it will not be possible to create, suspend, remove, rienable and alter the password of
Remote User in Thema4 GUI there will not be any entry for these actions in the audit trail for remote logins.
When a remote login operation will fail for any reason this operation will be recorded in the audit trail.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 2 Page 17 / 21

Section 2 THEMA4 CONTROL SYSTEM

2 CONFIGURATION
2.1 - HOW TO SET UP THE INTEGRATION
2.1.1 - Preliminary requirements
2.1.2 - Preparing the Key Distribution Center
2.1.3 - Preparing the controller
2.2 - TROUBLESHOOTING
2.2.1 - Key version number issue with some versions
of “ktpass”
2.2.2 - Repeating the configuration procedure from
the beginning

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 2 Page 18 / 21

2.1 HOW TO SET UP THE INTEGRATION

To set up the Thema4 controller to operate with Microsoft Active Directory it is necessary to perform some
operations on the Key Distribution Center and on the Thema4 controller.

2.1.1 Preliminary requirements

The domain must have a DNS server properly configured with direct and reverse zone search, reachable by the
Thema4 controller.

2.1.2 Preparing the Key Distribution Center

To configure the KDC to be used with a Thema4 control system perform following steps:

1) Create a login named “th4login” with any password, perform the first access and set the password as you
like. This login must not expire or change password.
2) Create a login named “vxtarget” with any password, perform the first access and set the password as you
like. This login must not expire or change password.
3) Create a keytab file by using ktpass.exe (a command line windows application for the server):

ktpass princ th4login/vxtarget@EXTRANET.FEDEGARI.IT mapuser th4login pass

password out krb5.keytab

Where items in bold can change from customer to customer:

- EXTRANET.FEDEGARI.IT: uppercase name of the domain
- password: the password that has been assigned to “th4login”

This operation creates a mapping between th4login and vxtarget into Microsoft Active Directory database
and produces a file (krb5.keytab) to put into Thema4 controllers

N.B.: If more than one Thema4 controller will be connected to the same KDC only one keytab file
must be generated, then the keytab file must be installed on each Thema4 controller. The keytab
file contains a progressive number so, when a new one is generated, the old one will stop
working. For this reason it is necessary to reinstall the keytab file on each Thema4 every time it is
generated.

4) Create any login and groups you like; groups must be of type “Global/Protection” in order to control
access for the login. It is a good idea to create 4 groups for each Thema4 machine.
5) Run “ldp” tool in the command line to get the short Security Identifier of each group.
Once “ldp” window comes up perform following steps:
a. perform a connection to the server itself;
b. perform a bind (probably administrator level is needed to watch desired data);
c. browse the domain tree until you reach the defined groups;
d. watch details of the group, more precisely the “objectSid” field. It is in the form
S-1-5-21-769278194-3318199905-4160292170-1110;
the number to put in the Thema4 system is the one underlined;
e. get that number for all the groups you are interested in.

N.B.: It is possible to repeat steps 4 and 5 at any time.

IMPORTANT NOTE
To create the keytab file it is necessary to install the Support Tools of the operative system:
a set of tools to help administrators streamline management tasks such as troubleshooting
operating system issues, managing Active Directory®, configuring networking and security
features, and automating application deployment. It is possible to download the Tools by
the Microsoft web site.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 2 Page 19 / 21

2.1.3 Preparing the controller

To configure the controller perform following steps:
1) Install the keytab file generated in the Thema4 controller. To do this, power on the system and step into
Configuration Menu;
1.1) For sw version previous W30:
a. login locally and select “Special Operations”;
b. choose “Install kerberos keytab file”; it is possible to load it from floppy, from network (through
FTP), from USB floppy or from an USB key (to see this item plug in a USB key);
c. once the file has been installed shut down the system.

1.2) For sw version from W30:

a. login locally and select “Set device” and select the device from which to install the keytab file
b. choose “Software Object Update”
b. choose “Kerberos keytab file installation” to install the file from the device selected;
Once the file has been installed shut down the system.
2) Turn on the system and login locally as an administrator.
3) Edit General login data by:
a. setting Enable Remote Authentication;
b. typing the name of the PC that acts as the Key Distribution Center;
c. typing the name of the Windows Domain;
d. typing the IP address of the PC that acts as the DNS server;
e. entering the short SID of the Windows group that will represent User group for this Thema4 controller;
f. entering the short SID of the Windows group that will represent Supervisor group for this Thema4
controller;
g. entering the short SID of the Windows group that will represent Maintenance group for this Thema4
controller;
h. entering the short SID of the Windows group that will represent Administrator group for this Thema4
controller;
i. if the software version is W39 or later and custom profiles are used, for each custom profile
configured, enter the short SID of the Windows group that will represent it for this Thema4 controller;
j. save settings.
4) It is necessary to enable SNTP integration and DST management as follows:
a. login locally with an account that allows to change system parameters;
b. enable SNTP;
c. enter the timezone for your country;
d. choose other parameters accordingly to your time server requirements;
e. enable DST;
f. enter parameters accordingly to your country requirements;
g. save settings.
5) Restart the system.

Now it is possible to login remotely. Remember that it is necessary to reboot the system every time that the
following “General Login Data” parameters needs to change:
- Key Distribution Center
- Domain name
- DNS server IP address.

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 2 Page 20 / 21

2.2 TROUBLESHOOTING
Following step-by-step instructions described in the previous paragraph, allows the integration to work
immediately. This chapter describes some common errors that can be done during the setup, that can prevent
the integration with Active Directory to work correctly.
2.2.1 Key version number issue with some versions of “ktpass”
The keytab file contains a field which identifies the Key Version Number (KVNO) of the th4login account. For
Windows 2000 based KDCs this field is not managed and the KVNO is always zero. For Windows 2003 based
KDCs this field is increased by one every time the password is changed, this means that is also increased by
one every time the “ktpass” tool is run to generate the keytab file.
Some versions of the Windows 2003 server are supplied with a buggy version of the “ktpass” tool, which does
not update the KVNO into the keytab file. This causes to keep having the error message “The keytab file has not
been installed, it is not possible to login remotely”.
In this case it is necessary to provide the correct KVNO to the “ktpass” tool when generating the keytab file. To
do this it is necessary to discover the current KVNO for “th4login” and pass it increased by one to “ktpass”.

To fix the problem use the following procedure:

1. Run ADSIEdit (a support tool supplied with Windows server operating systems), select “th4login” and display
properties

Fig. 2-1 – Selection of “th4login” properties with ADSIEdit

Fedegari S.p.A. D/O#156066.8 - June 2013

Thema4 control system – USERS REMOTE AUTHENTICATION – Section 2 Page 21 / 21

2. Search the value of parameter “msDS-KeyVersionNumber” within properties, that’s the current KVNO. In the
example the value is 9.

Fig. 2-2 – Discovering KVNO of “th4login”

3. Run ktpass providing the additional parameter KVNO, which equals the value found at step 2, increased by
one.

ktpass princ th4login/vxtarget@EXTRANET.FEDEGARI.IT mapuser th4login pass password

out krb5.keytab kvno 10

4. Put the keytab file on the controller.

2.2.2 Repeating the configuration procedure from the beginning

In case something went wrong in the configuration of the integration it is possible to repeat the whole procedure
from the beginning by simply removing “vxtarget” and “th4login” accounts.

Fedegari S.p.A. D/O#156066.8 - June 2013