Situations When Metasys System Login Screen Appears - Metasys - LIT-1201528 - General System Information - Metasys System - 10.1

Security Administrator System Technical Bulletin
Brand
Metasys
Product name
Metasys System
Document type
Technical Bulletin
Document number
LIT-1201528
Version
10.1
Revision date
2020-01-21
Language
English

The following situations cause the Active Directory service user to be presented with the Metasys system login screen:

  • when you log out of the Metasys SMP UI (either manually or when a user session ends)
  • if Active Directory service authentication fails for any reason
  • when you are logged in to the Windows OS with an Active Directory service user account that is not privileged within the Metasys system
  • if the Active Directory service Domain Controller is unavailable
  • when you are logged in to the Windows OS using a local Windows account and not an Active Directory service user account
  • when access to Active Directory service is restricted at login time because of an Active Directory service time sheet (known as Logon Hours) or access is restricted to the Metasys system via the Metasys time sheet. Active Directory service Logon Hours takes precedence, so if you are restricted from operating system access, but not restricted by a Metasys time sheet, access to the Metasys system as an Active Directory service user is not granted.
  • if your Active Directory service user account is locked-out or disabled
  • if your Active Directory service user account is enabled, but overridden to disabled with the Metasys Access Suspended property within Metasys Security Administration User Properties
  • if Active Directory service authentication is disabled for the Metasys site
  • if you log in to a Metasys device such as an NAE, NAE, SNC or SNE
  • if Metasys authorization fails for any reason, such as when a user without System Configuration Tool permissions attempts to log in to SCT
  • if SSO access is disabled for the site (that is, Windows Workstation SSO is set to disabled)

When the Metasys SMP UI login window appears, and the site has Active Directory service authentication enabled, a list of available domains appears.

Figure 1. Metasys Login Screen with Active Directory Service Domain List

From this screen, you have the following options:

  • Enter an Active Directory service username and password, and click a domain in a drop-down list.
  • Enter an Active Directory service username in the form of domain\username (sometimes called the pre-Windows 2000 format) and an Active Directory service password. (The Login to drop-down list becomes disabled.)
  • Enter a fully qualified Active Directory service username in the form of user login name@domain specifier and an Active Directory service password. (The Login to drop-down list becomes disabled.) The domain specifier name must be the fully qualified domain name at the domain level for hybrid UPN authentication users or the forest level domain name for exact UPN authentication users. For more information on hybrid UPN and exact UPN authentication, see the Username Semantics section.
  • Enter a Metasys local username and password and click Metasys Local in the Login to drop-down list.
    Note:
    • If you select Metasys Local, you should enter your local user credentials, not your Active Directory service user credentials. Otherwise, authentication fails.
    • Usernames are obscured at login for local and Active Directory accounts. After login, usernames are partially obscured (for example, JSmith appears as JSm***).
    • The Metasys system only allows active user accounts to log in from this screen. Dormant or locked accounts are not accessible.

The user credentials are strongly encrypted before being transmitted over the network for authentication. (For details on the encryption process used, refer to the Network Message Security section of the Network and IT Guidance Technical Bulletin (LIT-12011279) . These credentials are active for the entire Metasys SMP UI session until you log out (or the user session terminates).

If the Metasys Device Manager has not fully started, and you try to log in to the Metasys server, a runtime status error occurs and the Metasys login screen appears. In this case, the Metasys login screen does not display the Active Directory service domain drop-down list and you are not able to log in with an Active Directory service user account.

To log in as an Active Directory service user, you must close the login screen, wait a few moments for the Metasys Device Manager to fully start, then navigate again to the Metasys server. If you remain at the login screen following the startup error and do not close it, then log in with a Metasys local user account, all Active Directory service menu options and functions are unavailable. To restore Active Directory service options and functions, you must close the browser and navigate to the Metasys server again, then specify your Active Directory service credentials.