Configure the authentication mode

Change the default authentication mode to allow local users and domain users to log on at runtime.

Prerequisites

To allow Active Directory users to authenticate, either:

  • Obtain the Active Directory domain name and server address.

  • Ensure that the Windows client is joined to the Active Directory domain.

To allow LDAP users to authenticate, obtain:
  • LDAP server address
  • Base64 CA certificate file exported from the Active Directory server or from a computer in the domain
Tip: FactoryTalk Optix Studio does not support LDAP over SSL (LDAPS).
To configure the authentication mode
  1. In Project view, select the root node.
  2. In Properties, expand Authentication, and then in Authentication mode, select the authentication type that allows specific users to log on:
    • Model only. Users created in FactoryTalk Optix Studio.
    • Local only. Local machine users.
    • Domain only. Active Directory and LDAP users.
    • Domain and local. Active Directory, LDAP, and local machine users.
    • Any. Users of any type.
  3. (optional) Set DefaultUserFolder to change the default folder to contain user objects.
    Tip: The default folder to contain user objects is Security > Users. When a domain user logs in at runtime, a corresponding user object appears in the folder specified.
  4. If you intend to run your application on a client outside the Active Directory domain:
    1. In Default domain name, enter the default domain name for domain users that log on at runtime.
      Tip:

      To get the server address, enter this command in PowerShell nslookup -type=srv _ldap._tcp.ftoptix.local, where ftoptix.local is the domain name of the Active Directory server, and copy the server DNS.

      If you leave Default domain name blank, the domain name is set based on the Active Directory domain joined by the Windows client.

    2. In Default server address, enter the Active Directory or LDAP server address.
      Tip:

      To get the server address, enter this command in PowerShell nslookup -type=srv _ldap._tcp.ftoptix.local, where ftoptix.local is the domain name of the Active Directory server, and copy the internet address.

      If you leave Default server address blank, the Active Directory server address is set based on the Active Directory domain joined by the Windows client. If you do not specify the port in the server address, the default 389 port is used.

  5. In CA certificate file, select Browse and select the Base64 CA certificate file.
    Tip:

    To find items, start typing the item name to find in Select file.

    If the file does not appear in Select file, select Import file(s) and in Import file(s), select the file to import and then choose Select.

    Tip: If you leave CA certificate file blank, the local Windows machine is used to authenticate the user. CA certificate file is required to authenticate against a specific LDAP server or use a Linux client.