User Manual






Sepasoft - MES Modules
Cirrus Link - MQTT Modules


Inductive University
Ignition Demo Project
Knowledge Base Articles
IA Support
SDK Documentation
SDK Examples


Ignition 8.1
Ignition 7.9
Ignition 7.8

Deprecated Pages


Sign In

Skip to end of metadata
Go to start of metadata

AD/Internal User Source

The Active Directory/Internal Hybrid authentication profile type combines the Internal User Source type with the Active Directory User Source type. Active Directory is used to find all of the users, and to check their credentials when they attempt to log in. However, it allows assigning of roles, contact info, and other meta-information about a user through Ignition, then stores all this information as if it were an Internal User Source.  This way, Active Directory can be consulted to see if a username/password is valid, but the management of roles does not require coordination with your IT Department, who typically controls the Active Directory system. This "best of both worlds" approach is popular for many users of Active Directory.

The AD/Internal Hybrid User Source is partially  manageable in Ignition.   Users cannot be added or removed, and their usernames and passwords cannot be changed. This is because this information resides in Active Directory, not within Ignition. Other information, such as user roles, contact info, schedules, are manageable in Ignition.

Gateway Settings

Before you can use the User Management component to manage roles, contact info, etc., you first have to go into Gateway Settings, and mark the checkbox to 'Allow User Admin.'  This allows for the administration of the Gateway's system user source from the Designer and the Client. Unless this is enabled, the Vision Module's User Management component is prevented from modifying the Gateway system's user source.

Property Reference

This User Source shares many properties with the AD User Source. Please see the Active Directory Authentication page for a list of properties. 

On this page ...


AD Internal Hybrid

Creating an AD/Internal Hybrid User Source

To set up an AD/Internal Hybrid User Source, you must specify the host that is acting as your primary domain controller. You can also use a secondary domain controller in case the primary is unavailable. You'll also need to specify the name of the domain and credentials for the Gateway itself to use for authentication for when it queries the list of roles.

May need to contact your internal IT Department for...

When using AD/Internal Hybrid User Source, you may need to consult with your internal IT Department to get the required information to complete your user source setup.

  1. On the Gateway Webpage, under the Config tab, go to Security > Users, Roles.  
    The User Sources page will be displayed. Click the blue arrow, Create new User Source.

  2. Choose the AD/Internal Hybrid authentication type, and click Next

  3. The New User Source window will open. Some properties are optional depending on how you set up your profile. Details on the Main Properties can be found on the  User Sources  page. Active Directory properties are listed in the table below.

  4. Click Create New User Source to save the new user source.

Active Directory Properties




The Windows Domain your active  Active Directory   server  is running on. If you aren't sure of your domain, ask your  network  administrator.

Leave blank to set advanced properties manually.

Primary Domain Controller HostThe IP address or hostname of your primary domain controller. Example: "" or "MainServer"
Primary Domain Controller PortThe port number for the primary domain controller's  LDAP  interface.
List Users from Active DirectoryIf true, Active Directory will be queried for the list of all users. If false, users must be added manually. (Default is true.)
Gateway UsernameThe login name for the Gateway to use when querying Active Directory. Used for retrieving the list of users and roles via LDAP.
PasswordThe password for the above username.
PasswordRe-type password for verification.
SSO  Enabled

Whether or not to use Single-Sign-On (SSO) to authenticate  AD  users. Note that projects must also have this option enabled for SSO to work. (Default is false.)

SSO  DomainThe domain that Windows users must match in order to use  SSO. If blank, the main "Domain"  property  will be used.

 Advanced Properties



Secondary Domain Controller Host

The IP address or hostname of your secondary domain controller (optional). Example: "" or "BackupServer"

Secondary Domain Controller Port

The port number for the secondary domain controller's LDAP interface. (Default: 389)

Read Timeout

The read timeout in milliseconds for LDAP operations. (Default is 60,000)

Results Page Size

The number of entries returned per page of results in a query. (Default is 1,000)

User Listing BaseThe base folder to search for users under, such as "DC=MyCompany,DC=com". The entire subtree under this folder will be searched using the User List Filter. Multiple subtrees can be specified by putting them in parenthesis, like so: "(OU=Administrators,DC=MyCompany,DC=com)(OU=Operators,DC=MyCompany,DC=com)" If you leave this blank the whole subtree of the domain controller will be searched.
User List Filter

The LDAP search filter used when querying for the list of all users. Should restrict the type to user. (Default is (&(objectClass=user)(!(objectClass=computer))).)

User Search Filter

The LDAP search filter to use to find a specific user. Use the placeholder {0} as a standin for the login name. (Default is  (&(objectClass=user)(sAMAccountName={0})))

Username Attribute

The attribute on the User object to define the username. (Default is sAMAccountName.)

Username PrefixThis prefix will be prepended to the username before an Active Directory bind is attempted for authentication.
Username SuffixThis suffix will be appended to the username before an Active Directory bind is attempted for authentication.
Automatic SuffixIf this option is checked, and the suffix is left blank, then the suffix will automatically be assigned a value of "@<domain>" (Default is true.)
Allow AnonymousIf true, authentication attempts with blank passwords will be passed through to LDAP, which may choose to accept them. (Default is false.)
Use SSLDisable to use "ldap://" protocol, enabled to use "ldaps://" (Default is false.)
Security ProtocolAuto or SSL. (Default is Auto.)
Security Authentication

This property specifies how usernames and passwords are used to bind to LDAP. The following options are available:

AUTO:  Unspecified from the Gateway side, meaning the LDAP implementation will choose.

NONE:  Anonymous access.

SIMPLE:  Plaintext username and passwords will be used.

STRONG:  Usernames and passwords will be encrypted.

The following feature is new in Ignition version 8.0.10
Click here to check out the other new features
SASL : Simple Authentication and Security Layer. See the SASL Properties table below for additional SASL authentication configuration settings. 

SASL Properties

The following feature is new in Ignition version 8.0.10
Click here to check out the other new features

These settings are utilized when Security Authentication is set to SASL


 An ordered list of space-separated mechanism names. The LDAP provider will use the first mechanism for which it finds an implementation. A blank value will leave this setting unspecified. (Default is DIGEST-MD5 CRAM-MD5.)

Realm A realm defines the namespace from which the user is selected. A blank value will leave this setting unspecified. This setting will only be used by mechanisms which support it. (Default is blank.)
Quality of Protection A comma-separated list of Quality-of-Protection (QoP) values, the order of which specifies the preference order. There are three well-known values: "auth" (authentication only), "auth-int" (authentication with integrity protection), and "auth-conf" (authentication with integrity and privacy protection). A blank value will leave this setting unspecified. This setting will only be used by mechanisms which support it. (Default is auth-conf,auth-int,auth.)
Protection Strength A comma-separated list of privacy protection strength values, the order of which specifies the preference order. The three possible strength values are "low", "medium", and "high". A blank value will leave this setting unspecified. This setting will only be used by mechanisms which support it. (Default is high,medium,low.)
Mutual AuthenticationEnable or disable mutual authentication. This setting will only be used by mechanisms which support it. (Default is disabled.)

  • No labels