Smart Card Support

As of version 12.0.09, VTScada supports the use of smart cards, which provide a form of 2-factor authentication. Successful authentication requires something you have (the smart card itself) and something you know, (the Personal Identification Number (PIN) for the smartcard).

Smart cards can be used only in conjunction with Windows Security Integration (WSI) on both a thick client (workstation) and the VIC thin client.
Smart cards are not supported on the VTScada Anywhere client, nor on the Mobile Internet Client (MIC).


* Computer names (aka NetBIOS names) or IPs can be used in a server list only if all machines, including your VTScada Internet Servers and thin clients, are on an internal network.

* If some machines, clients or servers, are in different domains, then the list should include only fully-qualified domain names (FQDNs).

* If the names used by external clients to connect to your servers, (that is, names that are resolvable by an external DNS) are different from the internal machine names (those that are resolvable by your internal DNS or other methods) then your server list should include the external FQDNs. Your internal name resolution mechanism (DNS or other) should be configured to resolve those names to the internal IPs of the servers.

* Do not attempt to provide both internal and external names for the same server. Doing so will only cause slower overall performance.

Smart cards must contain a certificate that can used to authenticate a user in an Active Directory (AD) domain. To do this, the certificate should have a Subject Alternative Name (SAN) entry containing the User Principal Name (UPN) of the user account. For example, "a.user@example.com". Use of WSI mode is a prerequisite for smart cards and the smart cards can be used only for AD account sign-ins, not local VTScada Security Manager sign-ins.

Windows Security Integration is required for smart card Authentication

At a workstation, a smart card can be used to sign in with dialog that is associated with the application title bar. No other sign-in dialogs are supported.

Sign in at a workstation using your smart card

  1. Insert your smart card into the provided reader, attached to your workstation machine.
    The card is read and the certificates on the card are examined. If a single suitable certificate is found and no user is currently signed in on this workstation, the sign-in dialog opens.
  2. Enter the PIN associated with your smart card.

 

If you are running multiple applications and can sign in to each with your smart card, then you must do so for each independently.

If you remove your smart card from the reader, or the reader from the workstation, you will be signed out immediately from all applications that use the card.

If the smart card contains multiple certificates, then after VTScada reads those the certificates, it presents a dialog allowing you to select the certificate to be used. You can preselect a certificate by defining the property, SmartcardUPNMatch within the [System] section of the Setup.INI file in your VTScada installation folder, thereby avoiding the chooser dialog.

A certificate is shown:

 

Use the More choices link to view and select from other certificates.

After choosing a certificate, select the OK button. If you select Cancel, you must remove and re-insert the smart card to begin the process again.

The following section applies only to VTScada Internet Client (VIC) connections.

Active Directory Configuration to Support VIC Sign-ins

Two work flows are supported:

  • The first involves starting the VIC session with smart card support and is suitable when a given workstation is used by a single operator.
  • The second involves starting the VIC session normally (not with smart card support) and then signing in using the smart card. This is suitable when a workstation is used by several operators.

 

For both work flows, you must ensure that WSI mode is enabled for the application. Your Active Directory (AD) setup must be configured as follows:

A Service Principal Name (SPN) must be set in AD for all the VIC servers and the user account under which VTScada is running on the servers.

Domain Admin privileges may be required to set the SPN using the SetSPN command from an elevated command prompt:

SetSPN -U -S HTTP/<FQDN.Of.VICServer> <user.account>

Where <FQDN.Of.VICServer> is the fully qualified domain name of the VIC server, (for example: SCADA1.EXAMPLE.COM) and <user.account> is the sign-in name of the account without the "@my.domain" portion.

The SPN can be verified using the command:

SetSPN -L <user.account>

The preceding command shows the SPN’s for the account and should list the entries for VIC servers in the form:

HTTP/<FQDN.Of.VICServer>

1) Starting the VTScada Internet Client with smart card support

For this work flow, the VIC must be started from the command line, not Internet Explorer, following the examples within this section.

No extra configuration of your VTScada Thin Client Server is required when starting a VIC session with smart card sign-in support. To enable smart cards, the VIC command line must include the -c argument, along with -s and -a arguments.

  1. Start the VIC using the following command line, or a Windows shortcut you create that contains this command line:
Path\to\VTSX.exe -s URL_of_VIC_Server -a Realm_of_application -c

A dialog will prompt for the smart card:

  1. Insert your smart card into the reader. The following dialog will be shown:

If a single suitable certificate found on the smart card the VIC proceeds to display the Personal Identification Number (PIN) entry dialog. If more than one certificate is found on the smart card, a dialog is displayed as described in the workstation section. After a certificate is chosen, a PIN entry dialog is displayed:

  1. Enter your PIN and select the Connect button.
    If the PIN is correct, the client will connect to the VTScada Thin Client Server and you will be signed in.

Removal of the smart card from the reader, or the reader from the workstation will cause VTScada to sign you out immediately. If you were signed in using the VIC, the connection will be closed.

2) Use a smart card to sign in to an ordinary VIC session

If using this method, operators can remove their smart card to sign out without causing the VIC connection to close.

When an operator signs in or out with a smart card, the entries in the System Event history are annotated with “using Smartcard” to distinguish them from “manual” logons.

This requires that the Security Manager option to "Enable Signed Out VIC Sessions" is set to maintain the session after Smartcard removal and sign out.

  1. Ensure that WSI mode is enabled for the application as described earlier.
  2. Perform the tasks described in Active Directory Configuration to Support VIC Sign-ins
  3. Add the following value to the <SECURITYMANAGER-ADMIN> section of your application's Settings.Dynamic file:
    VICSmartcardsEnable = 1
  4. Use the Import File Changes Tool to put that change into effect.
  5. To prevent the session from closing on sign-out, ensure that Enable Signed Out VIC Sessions is selected.

 

Operators can open a thin client (VIC) connection and authenticate their sign-in by inserting their smart card in the reader. On removal of the card from the reader, they will be signed out immediately, but the session will remain active, waiting for the next operator to sign in.

If the user fails to authenticate with Active Directory, a dialog is displayed to indicate the authentication has failed and an event is logged in the System Event DB.