• Replies 1 reply
  • Subscribers 585 subscribers
  • Views 237 views
  • Users 0 members are here
Options
Related

Citect Runtime Service start with domain account

Kien Mac

Dear AVEVA Forum users,

I moderate a public Schneider Electric Digital Exchange Forum for Plant SCADA.

https://community.se.com/t5/AVEVA-Plant-SCADA-Forum/Citect-Runtime-Service-start-with-domain-account/m-p/406682#M390

----

A post was raised for around user credentials around Plant SCADA Domain accounts as follows:

We have a Citect Scada installation integrated with Active Directory features.
Our problem is that the CItect Runtime services configured to start with the domain account does not start on reboot.
The Service if started with local account works correctly, however we cannot use this mode because integration with Active Directory would be lost.
Our account is configured correctly with the "logon as a service" policy:

We have also changed the owner of the Citect SCADA 2018 R2 folder with the domain user.
Another thing I notice is that the Citect Runtime service depends on the "ArchestraDataStore" service and this starts correctly but is configured with the "NT Service \ArchestraADatStore" account.
Checking the logs on Event Viewer we see that after starting Citect it seems to crash

 ----

I was looking for any Technotes or how the Runtime User Accounts be properly setup as best practice. Or if this by design?

Thanks.

Parents

  • Hi  ,

    I think this might be a limitation of that version (2018 R2). I would recommend the customer upgrade to Plant SCADA 2020 R2 or the up and coming 2023 release. In that release, the Security Model is much improved and the Configurator allows you to define which user accounts should have access to what features within the product.

    I tested on Plant SCADA 2023 to have my Domain account to logon to the Plant SCADA Runtime Service, and it is working as expected, no exception or issues found.

    Customers should also note that Virtual Service Accounts give the best security posture. If you do need to use Domain Account, be sure to follow security best practice, follow the principle of "least privilege access" to minimise any risks or issues.

    Kind regards

    Olivier

Reply

  • Hi  ,

    I think this might be a limitation of that version (2018 R2). I would recommend the customer upgrade to Plant SCADA 2020 R2 or the up and coming 2023 release. In that release, the Security Model is much improved and the Configurator allows you to define which user accounts should have access to what features within the product.

    I tested on Plant SCADA 2023 to have my Domain account to logon to the Plant SCADA Runtime Service, and it is working as expected, no exception or issues found.

    Customers should also note that Virtual Service Accounts give the best security posture. If you do need to use Domain Account, be sure to follow security best practice, follow the principle of "least privilege access" to minimise any risks or issues.

    Kind regards

    Olivier

Children
No Data
© 2024 AVEVA Group Limited or its subsidiaries. All Rights Reserved.