User Authentication LDAP for HMI

beecksche · January 3, 2024, 10:28am

Hi,
The user management is linked to our ActiveDirectory via LDAP. I can log into the WBM with the global login data without any problems. (The AD-User is mapped to the Admin role)
However, if I change the LDAP group mapping from Admin to EHmiLevel10 , I cannot log into the HMI.
As a test, I have also assigned the EHmiLevel10 role to admin-user and I can log in to the HMI with admin-user without any problems.
Below are the notifications from admin and AD-user when logging into the HMI:

Warning 03.01.2024 12:12:40.754 arp.services.hmi Security.Arp.Services.Ehmi.SessionAuthenticationFailed 
No login permission for userName AD-User, ipAddress 192.168.0.5, arpSecurityToken 1484793059 security
Info	03.01.2024 12:12:40.752 User Manager Security.Arp.System.Um.SessionCreated	
Session created. User: AD-User, User roles: EHmiLevel10 , Security Token: 588024E3, Object name: hmi.auth, currently opened Sessions 4 security
Info	03.01.2024 12:12:40.751 User Manager Security.Arp.System.Um.Ldap.ServerLoggedIn	LDAP server logged in. Hostname: ldap.example.org, Comment: security
Info	03.01.2024 12:12:16.008 User Manager Security.Arp.System.Um.SessionCreated	
Session created. User: admin, User roles: Admin EHmiLevel10 , Security Token: B0CFDE01, Object name: hmi.auth, currently opened Sessions 4 security

AXCF1152, FW2023.6 EDIT: I have noticed that both user levels Admin and EHmiLevel10 must be assigned to the user for a login in the HMI to work. Is that correct?

beecksche · January 3, 2024, 11:52am

EDIT #2:
It also works when using the user levels EHmiViewer and EHmiLevel10. But two must be assigned. EHmiViewer or EHmiLevel10 alone is not sufficient.
And it’s not limited to AD-User. Also local user need two user roles. I assume that you need the rights „View online variable values“ and the corresponding EHmiLevels to log into the HMI.
https://plcnext.help/te/WBM/Security_User_authentication.htm

eduardplcnextteam · June 18, 2025, 1:29pm

Hello beecksche,
I assume you have a mistake in LDAP-Configuration, generally one „admin_root“ user must be located on the PLCnext Target and created on LDAP.-Server. This user on the PLC must be able to access to LDAP-Server and parse for additinal created „users“ on LDAP-Server. Another possibility may be that the LDAP server is not configured correctly. I’m not sure if my assumption is right. For a detailed analysis, please contact the Phoenix Contact support department in your country.
BR Eduard