Windows Credentials to Log Into Energy Force

To set a database up allowing Windows credentials or single sign on for Energy Force, first set the SystemLogin setting in the .ini to D for Active Directory and add two entries to the Logical Names table in System Maintenance. These would be for Directory_Binding and Domain_Name (Directory_Binding would be the AD server and Domain_Name would be the domain name). Finally, set the InputPassword ini setting to N.

IS tested single sign on with Active Directory from Energy Force. It worked with all the servers involved in the same local area network. This requires a group in Active Directory with the exact name as a group in Energy Force set up by IS. All of the users that need access to EnergyForce need to be in the group. User rights are then applied at the group level by linking the Windows user to Active Directory to see what groups the user belongs to and then applying the rights of the matching group in Energy Force.

IS tested with all traffic between the application server and the Domain Controller allowed. If any mistakes are made or it doesn't work, Energy Force creates an entry in an INI file that making EnergyTrack open instead of Energy Force until it is removed.

If this is for a cloud\hosted deployment, this was probably never the intended setup and it would require a VPN between the application server and a Domain Controller that can be used by the Energy Force server to be able to read the group membership. The Windows usernames must match exactly as well so there would need to either be a Domain Trust in place or the local users on the cloud server would need to have the exact same usernames as the domain users on the customers local domain. The customer will need to have some IT\IS admins of their own setup the group in Active Directory, the VPN, and the domain trust if needed. The customers IS (not just SSI IS) would also need to troubleshoot any communication issues that come up between the machines involved.

This also does not rely on the individual users listed in the Energy Force user file.

Active Directory Connection

When a user binds to an Active Directory server (System Logon = Active Directory), Energy Force uses the logon name and password entered when logging onto Windows to retrieve the user’s rights as defined in the Active Directory.

Active Directory matches a Group that the Logged-On user belongs to with a group in Energy Force’s Security File.

Define the values Directory_Binding and Domain_Name in Energy Force by opening the application and navigating to Supervisor Menu / Maintenance Menu / System Maintenance / Logical Names

  • Directory_Binding — WinNT://DomainControllerServerName/ 
    (case sensitive, machine name is in uppercase) (the / at the end is very important)
  • Domain_Name — DOMAIN.COM

Next, in Energy Force, define the security file groups with the name matching the name of the groups of interest in the ADS server. Set the relevant Energy Force rights to each group.

When Energy Force loads, it will take the current user details and query the ADS Server for the list of all the groups that the user is member of. If a matching group is found (group name is case sensitive) in Active Directory with the same name as the groups in the security file of Energy Force, the rights of that Energy Force group will be added to the user's session.

Update the following entries in the ENV section of the configuration file:

  • SystemLogin — D
  • InputPassword — N

General Notes:

  • Individual rights cannot be given to users when using AD connection. A group will need to be created and the right given to that group, then a matching AD group needs created and then the user added to that AD group.
  • There must be a matching AD group to the Energy Force group (case sensitive).
  • If need be, a second shortcut can be set up to use a different configuration file that allows for local login (this will allow users to type in usernames which are listed in the Energy Force security file).
  • Usernames in the Energy Force security file have no link to the AD usernames, usernames in the Energy Force security file are only used for local login.
  • Any updates to the configuration files should be completed while all users are out of Energy Force.

Steps to Setup

  1. Verify proper group setup within the Energy Force security
  2. Create matching groups in AD (case sensitive)
  3. Assign users to appropriate AD groups
  4. Add/verify Directory_Binding setting in Energy Force:
    1. Logical Names: Directory_Binding = WinNT://MY-AD-SERVER/
  5. Add/Verify Domain_Name setting in configuration file:
    1. Logical Names: Domain_Name = mydomain.com
  6. Update SystemLogin setting in configuration file:
    1. /[MAGIC_ENV]SystemLogin = D
  7. Update InputPassword setting in configuration file:
    1. /[MAGIC_ENV]InputPassword = N
  8. If local login is needed, make copy of configuration file, and update the following:
    1. /[MAGIC_ENV]SystemLogin = U
    2. /[MAGIC_ENV]InputPassword = Y
  9. If local login is needed, create a copy of the shortcut and point it to the configuration file created in step 8 instead of the standard file updated in steps 4 - 7.