Implementation considerations - Metasys - LIT-12011279 - General System Information - Metasys System - 13.0

Network and IT Guidance Technical Bulletin

Product
Building Automation Systems > Building Automation Systems > Metasys System
Document type
Technical Bulletin
Document number
LIT-12011279
Version
13.0
Revision date
2023-09-29
Product status
Active

The Active Directory service feature as implemented on the Metasys system uses the existing Active Directory service infrastructure at the customer site. The following are important considerations:

  • Active Directory service users in server-class operating system domains and read-only domains are supported.

  • Use of a server-class operating system read-only domain controller is determined by the IT department that is responsible for setting up accounts for authentication against the domain controller. SSO and Active Directory service logins function with the server-class operating system read-only domain controller, whether the primary read-only domain controller is online, offline, or not accessible (as long as the Active Directory service user credentials are cached in the read-only controller). If a trust relationship exists between the read-only domain controller and another domain, the Active Directory service login functions properly as long as the trusted domain is accessible. In this case, Kerberos manages the forwarding to the correct domain. SSO does not work for an Active Directory service user in a trusted domain of a read-only domain controller because SSO uses NTLM and the message is not forwarded.

  • The default Active Directory services schema is supported. For details, see Information obtained from Active Directory services.

  • NTLMv2 is required to accomplish strict SSO login-free access to the Metasys system using IIS Windows Integrated Authentication. All other authentication is performed using Kerberos, which includes the Active Directory service user name, password, and domain selection at the Metasys system login screen and authentication to Active Directory services for LDAP queries.

  • The Metasys system does not store or manage the passwords of Active Directory service users. Active Directory service users who are given access to the Metasys system (identified by the security identifier [SID]) are not created or managed by the Metasys system. The system maintains authorization permissions to the Metasys system only.

  • Active Directory service credentials that are provided at the Metasys system login screen are strongly encrypted before they are sent over the network from the Site Management Portal UI to the Metasys server and SCT.

  • To ensure that Metasys system SSO works properly, the Network Security: LAN Manager authentication level security policy must be configured to compatible settings on the Metasys server and SCT computer, any Site Management Portal UI client machines, and the Active Directory service domain controller.

  • The Active Directory service structure may comprise one or more forests consisting of one or more domains. The Metasys system requires an Active Directory service structure that allows for the use of full domain UPN formatted names or exact or alternate UPN formatted names. Single Label Domains are one example of a directory structure that is not compatible with the Metasys system. Single Label Domains are domains that do not include .com, .edu, and so on. Users from any domain may be given access privileges to the Metasys system, as long as appropriate trust relationships and privileges exist within Active Directory services.

  • The Metasys server and SCT computer should be placed in an Active Directory service organizational unit (OU) that is not affected by Group Policies (such as those typically applied to a desktop) that download software to the machine. This software may adversely affect Metasys system device operation.

  • A service account in Active Directory service consisting of an Active Directory user name, password, and domain is required. For details, see Service account.