Control How iFIX Security Authenticates Windows Accounts | Proficy iFIX 2024 Documentation

iFIX security allows local and domain accounts in Windows to be configured for authentication within iFIX. Beginning with iFIX 3.5, iFIX security also allows you to configure the Windows API that connects to the domain controller for authentication. You can configure the following Windows APIs for use with iFIX:

NetGetDcName - An older function that iFIX originally used with Network Basic Input/Output System (NETBIOS) to discover the IP address of the primary domain controller (PDC). This function does not support DNS-style names, will not detect a backup domain controller (BDC), and is not recommended when in a Windows environment that uses Domain Name System (DNS) for name resolution without NETBIOS or a Windows Internet Name Service (WINS) server.
NetGetAnyDcName - This function returns the name of any domain controller for a domain that is directly trusted by the specified server. To use this function, the computer must have a trusted connection with the server.
DsGetDcName - The default function call made by iFIX security. This function uses Active Directory to return the name of a domain controller.

NOTE: If domain logon caching is enabled on the server, be sure that you configure the Interactive logon: Number of previous logons to cache setting in the Windows security policies to something other than 0. For example, if the value is 5, the server caches logon information for 5 users. This security policy can be found in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. Domain caching allows users to log on even when they are not connected to a domain, such as when connected to a corporate network. Be sure that other security countermeasures are enforced, such as strong passwords, if this feature is enabled.

Use the secnet.ini file to configure the settings for the name resolution call. You can find this file in the <iFIX directory>\LOCAL folder.

In the secnet.ini file, the DomainRetrieverCall value can be modified to 0, 1, or 2, which correspond to one of the following methods:

0 - Use NetGetDcName
1 -Use NetGetAnyDcName
2 - Use DSGetDcName (Default)

Example Entry in Secnet.ini File

The following is an example of the text in the secnet.ini file that sets the Windows API function call. The example sets the DsGetDcName function (Active Directory) to return the name of a domain controller:

[SECNET]

DomainRetrieverCall=2

NOTE: iFIX reads the secnet.ini file during iFIX startup. If you modify this file, you must restart iFIX for the changes to be applied. Be aware that if you make any modifications to this file and later upgrade your iFIX system, you should review your custom settings in the secnet.ini file after the upgrade. Depending on the date of the modifications, there is a slight chance that you may need to enter your changes again, as the upgrade process typically overwrites the secnet.ini file with a newer version.