Authentication
An OPC UA client application can authenticate itself to the TwinCAT OPC UA Server via various IdentityTokens. The following IdentityTokens are supported:
- Anonymous
- Username/Password
- User certificate
Delivery state The "Anonymous" IdentityToken is enabled when the server is delivered; however, the server requires a one-time initialization to get started. This IdentityToken is then disabled and client applications must authenticate themselves with a username on the server. |
Anonymous
This type of authentication allows any OPC UA client to connect to the server application. It is not necessary to specify a user identity, which means that there are no options for defining access rights on the server. Beckhoff recommends disabling this authentication type after commissioning the server. This can be done via the TwinCAT OPC UA Configurator. Below you will find an example screenshot from the OPC UA client application "UA Expert":
Username/Password
This type of authentication uses a username/password combination to authenticate the client to the server application. On the server, access rights can then be defined for the respective user identity. The user identity can be defined on different levels:
- User identity is defined in the server
- User identity comes from the lower-level operating system (e.g. a local Windows user)
- User identity comes from the Active Directory (e.g. if the industrial PC is part of a Windows domain)
Recommendation when using User IdentityTokens If User IdentityTokens are to be used to authenticate client applications, Beckhoff recommends the use of operating system users. |
Below you will find an example screenshot from the OPC UA client application "UA Expert":
User certificate
This type of authentication uses a certificate to authenticate to the server application. The handling of user certificates on the server side is identical to the use of certificates on the transport layer, i.e. the server must trust the (user) certificate before the client can successfully authenticate itself to the server with the certificate. A separate directory ("pkiuser") for the administration of user certificates is available in the server for this purpose. Below you will find an example screenshot from the OPC UA client application "UA Expert":
Notice | |
Authentication and server certificate When using the unencrypted endpoint in combination with authentication, the TwinCAT OPC UA Client still requires the public key from the OPC UA Server certificate in order to encrypt the password during transmission. To this end the certificate must be trusted in the TwinCAT OPC UA Client (see Certificate exchange). |
Configuration
The IdentityToken is usually configured via the TwinCAT OPC UA Configurator. A graphical user interface is available here to enable IdentityToken, for example in the standalone configurator: