Strict Authentication
With Historian's strict user account authentication features, Enforce Strict Client Authentication
and Enforce Strict Collector Authentication
, you can control access to the Historian server and safeguard user account credentials.
With strict authentication enabled, only known user accounts configured on the Data Archiver server computer will be able to access a Historian server. Similarly, enabling strict collector authentication enforces the same requirement for incoming collector connections.
For an account to be known at the Data Archiver, it has to exist on that archiver as a local account or exist on a Domain Controller available to the data archiver. Historian will access the local accounts or Domain Controller via Microsoft’s Security Support Provider Interface (SSPI) and this involves having a Kerberos server setup optionally to assist in account validation.
By default, strict client and collector authentication is enabled on new installations to maximize security. When upgrading from a previous version of Historian, strict client and collector authentication is disabled to allow compatibility with older clients or collectors that cannot be upgraded concurrently.
It is recommended that all clients and collectors receive timely upgrade to the latest version, which permits enabling both strict client and collector authentication on the server for the highest security configuration.
By treating clients and collectors separately, it is possible to accommodate new and legacy authentication during the upgrade process. However, upgrading all clients and collectors to the latest version immediately will achieve a high level of security. The two options, Enforce Strict Client Authentication and Enforce Strict Collector Authentication, permit flexibility during the upgrade process by selectively accommodating legacy clients and collectors.
Local and Domain Security Groups:
Machine Configuration | Security Group of the Logged-In User | Recommended Security Group |
---|---|---|
Workgroup | Local | Local |
Domain | Local | Domain For domain machines, we recommend that you log in with a domain-level user and create security groups in the domain controller machine. |
Domain | Domain | Domain |
Strict Authentication Options:
Strict Client Authentication | Strict Collector Authentication | Comment |
---|---|---|
Enabled | Enabled | Use this for highest available security. You will need to install SIMs, if available on all pre-6.0 collectors and clients. Clients can refer to any program that connects to the Data Archiver. This includes Historian Administrator, Microsoft Excel, any OLE DB program, user written programs, or any other Proficy software. |
Enabled | Disabled | Use this if you are unable to upgrade collectors to the latest version if there is no SIM update for your collector. |
Disabled | Enabled | Use this if you have to support legacy clients and you are unable to install the SIM update on all clients. |
Disabled | Disabled | Use this for maximum compatibility with existing systems. |
Trusted Connections in Distributed Historian Service Environment:
If you want to work in the workgroup setup, contact Online technical support & GlobalCare:www.digitalsupport.ge.com.