Microsoft Active Directory service overview - Metasys - LIT-12011279 - General System Information - Metasys System - 13.0

Network and IT Guidance Technical Bulletin

Brand
Metasys
Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
13.0
Revision date
2023-09-29
Product status
Active
Language
English

This section provides an overview of Active Directory services as implemented in the Metasys system. For more details, refer to the Security Administrator System Technical Bulletin (LIT-1201528).

The Active Directory service feature used by the Metasys system provides an IT standard integration of the Metasys system into a customer’s existing Active Directory service infrastructure for authentication purposes. This optional component provides the convenience of Single Sign-On (SSO) access, a capability that permits users to log in to multiple, secured application User Interfaces without reentering their user name and password.

The Metasys system works in conjunction with the Active Directory Service. It allows the Active Directory Service to provide authentication for access to various Metasys software applications, including the Metasys server, Metasys UI, Johnson Controls System Configuration Tool (JCT), and System Configuration Tool (SCT) (but not the engines). Using the Security Administrator System menu option, you can add Active Directory users and assign them various levels of access and permissions, from read-only to administrator privileges. By using the Security Administrator System option, you can also grant SSO or Single Sign-On access to all Active Directory users for a more convenient authentication process. The Metasys UI and Johnson Controls System Configuration Tool do not support SSO.
Note: You can use a local Metasys user account or an Active Directory user account to log in to Metasys. For Active Directory users, authentication can be AD/LDAP or ADFS. SMP supports AD/LDAP only (does not support ADFS). Metasys UI supports AD/LDAP, and on non-MVE sites, it also supports ADFS. SSO for Metasys UI is available only with ADFS.

The Metasys architecture uses Active Directory service for authentication. The user provides Active Directory service credentials in one of two forms:

  • Active Directory service credentials that are cached by Windows when the user logs in to the computer, and then automatically retrieved by the Metasys system during the Windows Integrated Authentication with IIS process on the Metasys server, or SCT.

  • Active Directory service credentials (user name, password, and domain) that are specified directly on the Site Management Portal UI login screen.

An Active Directory service user name includes the specification of a domain name with the user name. For example, instead of a user name called John, the user name in Active Directory service and the Metasys system could be John@my.corp.com, which includes the domain specifier required by Active Directory service.

For releases prior to Metasys Release 8.1 and System Configuration Tool Release 11.1, Active Directory implementation with the Metasys system allows a hybrid User Principal Name (UPN) format for usernames and the Security Account Manager (SAM) format, which uses the username, password, and domain selection. The hybrid UPN format uses the username in which the full domain name is provided. The Metasys system does not support an exact or alternate match of the UPN name and instead validates the prefix portion and the suffix portion of the Active Directory username. The prefix is the username (myUser) and the suffix is the domain name (my.corp.com). The prefix and suffix are separated by the @ symbol. For example, myUser@my.corp.com is specified instead of myUser@corp.com, where myUser@corp.com is the email UPN name.

Figure 1. Examples of Login Formats

Metasys Release 8.1 or later, and SCT Release 11.1 or later allow exact or alternate UPN authentication support for the Metasys system in compliance with Microsoft Office 365® authentication. For example, myUser@corp.com is specified, where myUser@corp.com is the exact or alternate UPN name. To enable exact or alternate UPN format user login to the Metasys system, see Enabling exact or alternate UPN authentication for a Metasys Server and Enabling exact or alternate UPN authentication for SCT.

SSO allows users to access the Metasys system without having to type in their credentials by using Windows Active Directory authentication in conjunction with the Metasys software. This feature relies on the following:

  • The user has an active Windows Active Directory account.
  • The user is logged into a domain computer using their Active Directory credentials.
  • The user is added to the Active Directory users list in the Security Administrator System menu option.
  • The SSO feature is enabled in the Security Administrator System menu option.
  • The Metasys application supports SSO.
Note: The Metasys system does not require any particular Active Directory service structure. However, the Metasys UI only supports SSO in conjunction with the licensed ADFS feature. SSO must be configured by the administrator on the ADFS server.