The following error can occur when logging into Security Expert using a Remote Client:
Could not log on to Server. Please check your remote connection setup. The server has rejected the client credentials.
SmartStruxure Solution, Other
The security policy settings are different between the Server and Client.
When installing the Security Expert Server and Clients, the default security policy is used. This requires that the Windows username and password that the operator has used to log in on a client machine is also a valid user on the computer that is running the Security Expert Server. These security requirements are very favourable for corporate networks and setups where the users and policies are easy to manipulate. For that purpose alone, the Security Expert Server and Client are installed with these settings by default.
All installations are not created equal however and sometimes the Security Expert Server is not located within a domain. In another scenario, the server may be in a domain but the operators need to connect to it from a machine that is not in the domain. In these cases, it has been requested that the security policy in place on a domain or the physical machine is disabled and although this is not recommended practice the security of the system can be maintained using a suitable VPN structure.
This solution should be used with full knowledge that the security of the system will rely on the operator user login name and password as well as the security measures put in place for a client to be able to hit the server with a login request. Protection of the infrastructure to the connection is beyond the scope of this document.
Either put the Client machines in the same Domain as the Server or if no Domain is used or the Client is not on the domain then follow the process below to manually update the security policy.
The following process is a manual edit of the XML configuration files, we recommend that you make a backup of the configuration files which are located in the ..\Program Files\Schneider Electric\Security Expert directory prior to performing this task.
1. Close all Security Expert clients and stop the Security Expert Data Service.
2. We are first going to update the Security Expert Client configuration file this is called SecurityExpert.exe.config and is located in the ..\Program Files\Schneider Electric\Security Expert directory on the client machine. This change must be done for ALL clients, you cannot have one client with security enabled and one without, all the clients must match the server security configuration.
3. Open Notepad as the administrator, browse to the ..\Program Files\Schneider Electric\Security Expert location, make sure the all files option is selected and find the file SecurityExpert.exe.config be aware that it may not have the file extension showing and will be called an XML Configuration file by default. Once selected open the file.
4. Locate the tag <netTcpBinding>. Nested within this tag is the </binding> tag. Ensure that you insert the below text after the opening tag <binding> and before the closing tag </binding>. If you insert the text outside this tag, the application the application will fail to run.
5. IMPORTANT You must ensure you enter "None" with a capital "N" (not lower case). Ensure you copy (input) text exactly as shown. Now save the file. If you get a write error then you need to open notepad as the administrator.
6. We are now going to repeat the process for the Security Expert Server configuration file. This is called SecurityExpertSV.exe.config and is located in the ..\Program Files\Schneider Electric\Security Expert directory on the server machine. Again, make sure <security mode="None"></security> is after the opening tag <binding> and before the closing tag </binding> or the application will fail to run.
7. This change must be applied to the server and ALL clients, you cannot have one client with security enabled and one without, all the clients must match the server security configuration.
8. Restart the Security Expert Data Service and test the connection settings.