Authentication Overview - Metasys - LIT-1201528 - General System Information - Metasys System - 12.0

Security Administrator System Technical Bulletin

Product
Building Automation Systems > Building Automation Systems > Metasys System
Document type
Technical Bulletin
Document number
LIT-1201528
Version
12.0
Revision date
2022-08-05

Security is based on user accounts and roles. Roles are groups of users with a specific function within the Metasys system. To access the system, an administrator provides a username and the password. When creating users within the Metasys system, use ASCII characters only. Do not use the characters @ or \ to create Metasys local user names. The @ and \ characters are reserved for Active Directory service usernames that are added to the system.

Note: If the Microsoft Active Directory service feature and Microsoft Windows® Workstation SSO are both enabled for use in the Metasys system, you generally do not need to specify your username and password. The Active Directory service credentials that you specified when you log on are automatically passed to the Security Administrator system for authentication. For details, see Overview of Active Directory Service Implementation on the Metasys System.

Click Login on the Login screen to send your user credentials. If Active Directory service is enabled, you also need to select your user domain or enter a local username and select Metasys Local from the domain selection drop-down menu.

For local users, the extended architecture Security Administrator system authenticates the user’s information against the Security database. For Active Directory service enabled users, the selected Active Directory service domain authenticates the user and no Security database authentication occurs.

Microsoft® Active Directory Federation Services (ADFS) and Microsoft AD Lightweight Directory Access Protocol (LDAP) is supported in Metasys UI only. ADFS integration with two-factor authentication is an add-on, licensed feature to add support for Metasys using ADFS, a single sign-on solution developed by Microsoft®. ADFS can then, in turn, be used to provide two-factor authentication for access to Metasys. ADFS helps prevent unauthorized access to Metasys, which, if not prevented, could result in data, financial, and reputational loss, system disruption, and other negative consequences. LDAP authenticates your identity against AD for Metasys access as a user of the system.

Note: For Active Directory users, Metasys saves the domain name separate from the user id. Therefore if you add a Metasys local user with your JCI global id, you cannot also add an Active Directory login with the same name.

A unique session opens when your user credentials match the logon requirements. The session provides access to the system for a configurable period. When the credentials do not match, a dialog box appears indicating that the credentials are incorrect or user access is denied. For more details on possible logon error messages, see Table 1. The security system generates an audit trail and tracks all logon attempts.

Note: The default password for the MetasysSysAgent user and Operator user accounts on new or re-imaged devices has a default password that is expired and must be changed at the first login.

When you click Login, the IPv4 address of the computer you are using is recorded in the Metasys Audit file. You can view the login transaction by opening the Audit Viewer. If the user logs in to the Metasys Advanced Reporting System and the SMP UI, the SMP UI login time is recognized as the last login time. If the user logs in for the first time, the status box indicates Never as the last login time.