SOLIDWORKS PDM: Active Directory FAQs

This guide intends to address a large quantity of common questions and issues regarding SOLIDWORKS PDM Active Directory integration by providing solutions referencing those found in the official SOLIDWORKS Knowledge Base.

 

Table of Contents:

Understanding SOLIDWORKS PDM Active Directory Integration

Best Practices for SOLIDWORKS PDM with Active Directory

Configuring SOLIDWORKS PDM for use with Active Directory

 

Understanding SOLIDWORKS PDM Active Directory Integration

 

(S-062526) How does SOLIDWORKS PDM handle Windows logins? What if they exist both locally and as domain users?

When using Windows login with an Enterprise PDM file vault, it is only the Windows login name (profile name) that is stored in the file vault's database. The user's password is managed by the Windows server, either the local Windows server hosting the archive server service or the Windows Active Directory server. The domain tag is not part of the username saved in the file vault.

This means that for a successful file vault login, the Windows login name must match the name of the user in the vault and the Windows server must accept the credentials. The login name must also exist as an explicitly added user or part of a local or domain group added to the Windows login settings on the archive server.

In most cases, the Windows user will only exist in one location (either as local user on the archive server or as user on the AD server). Entering the login name and password will log you in to the vault.

If the same user login exists on both the local server and on the Active Directory server, EPDM will try to log in with the local user credentials first before trying the AD credentials. That means that if the passwords differ, it is possible that the user ends up logging in with a seemingly “old” password because the local account is used primarily. This can also happen if the user login exists in multiple domains that the archive server has access to.

For more information, please see the attached PDF guide titled "user_logins".

 

(S-067316) How does SOLIDWORKS PDM authenticate with domain controllers to authenticate users when using Windows logon?

When using Windows authentication, SOLIDWORKS PDM authenticates attempted user logons against the Microsoft Active Directory domain controller. These Kerberos V5 authentication requests are sent directly from the archive server (NOT the clients) to the domain controller.

To understand the communication process of a Windows logon please see the example process below:

  1. The user attempts to log into the vault.
  2. The Enterprise PDM Client contacts the Archive server with the attached logon credentials.
  3. The Enterprise PDM Archive Server then contacts the attached domain controller with a Kerberos V5 authentication request.
  4. The Domain controller responds to the SOLIDWORKS Archive Server with a success or fail for the authentication.
  5. The Enterprise PDM Archive Server responds to the client.
  6. The Enterprise PDM client logs in to the vault.

 

(S-048138) Are all Active Directory domain scopes (universal, domain local and global) supported by SOLIDWORKS PDM when using the Windows login type?

Yes. Any Active Directory domain group scope can be used when adding domain groups to the SOLIDWORKS Enterprise PDM Archive Server Configuration tool's Windows login settings. This is provided that the archive server can access the group.

Users who belong to domain groups with a universal, global or domain local scope should be able to login to an Enterprise PDM vault.

 

(S-067318) How can I determine which Active Directory domain controller or logon server I am using to help diagnose SOLIDWORKS PDM logon problems?

When diagnosing SOLIDWORKS PDM Windows logon performance problems, it may be necessary to establish which Active Directory logon server you are currently connected to.

Several methods allow you to identify the currently connected authentication server, however the simplest is the following:

  1. On the Archive Server, open a command prompt (Start > Run > cmd)
  2. Type: Echo %logonserver%
  3. You will be presented with the logon server name, this can then be pinged to test latency etc. (Please see SOLIDWORKS Knowledge Base solution S-067317 for more details on potential performance issues.)

 

Best Practices for SOLIDWORKS PDM with Active Directory

 

(S-025962) What permissions considerations are necessary when configuring a SAN/NAS setup for storing the SOLIDWORKS PDM vault archives?

Most SAN/NAS setups will work with PDM Professional provided the archive server service has full read and write access to the SAN/NAS location. 

Keep in mind that the archive server is a service and will therefore, by default, run under the “System” account on the computer (i.e. the computer itself). The “System” account is NOT the same as the active user account logged into Windows and that is where most configuration problems arise – just because the user currently logged into Windows (normally the domain administration on a server) can browse to the network share etc. does not mean that the “System” account can do the same. The share in question MUST give the SYSTEM account full read and write access to the archives. To enable the “System” account to access the share, you will need to add the computer name with “$” symbol (i.e. ArchiveServerName$) to the folder share and give “Read/Write” permission.

In the situation where the system account cannot be configured to access the share, you should change the logon account of the archive server service to a user that has sufficient access (for example the domain administrator). Note that this user account MUST have local administrative permissions for the archive server's system since it will access and modify the local registry.

When reinstalling the archive server service (i.e. uninstall/reinstall or upgrade), the service defaults back to being started under the “system” account again.  Therefore, if the service was configured to run under a different user account before the reinstall, it must be configured again after the install otherwise there will be archive access problems. Also keep in mind that if the service is running under another user, if that user's password changes, the service will not be able to start until the password is updated under the service logon properties again.

For more information, please see the following solutions on the SOLIDWORKS Knowledge Base:

  • S-025962: "Is it possible to use remote storage SAN/NAS setups for storing the SOLIDWORKS PDM Professional file vault archives?"
  • S-012157: "Is it possible to store the PDM Professional file vault archives on a remote network share?"

 

(S-044688) Is it possible to install the SQL Server Service on a server which is also a domain controller?

SOLIDWORKS does not recommend this approach; it is better to have a dedicated server as the SQL Server / PDM server. However if absolutely necessary, it can be done but there are limitations which are described below.

For security reasons, Microsoft recommends not installing SQL Server Service on a domain controller. SQL Server Setup will not block installation on a computer that is a domain controller, but the following limitations apply:

  • SQL Server services can run under a domain account or a local system account.
  • It is impossible to run SQL Server services on a domain controller under a local service account or a network service account.
  • After SQL Server is installed on a computer, it is impossible to change the computer from a domain member to a domain controller, or the reverse. It is required to uninstall SQL Server before making either modification.
  • SQL Server failover cluster instances are not supported where cluster nodes are domain controllers.
  • SQL Server is not supported on a read-only domain controller.

 

(S-061788 / S-037242) Is it possible to configure the SOLIDWORKS PDM client to use a domain login over a VPN?

Yes. As long as the VPN tunnel does not block TCP port access to the Archive Server (default port 3030) and the SQL Server (default port 1433/1434), it should work fine having a view connect over a VPN.

Please take note of these additional considerations:

  • Clients may not be able to resolve the host-names of the SQL Server, Archive Server and License Server over the VPN. In this situation, you will need to configure the local HOSTS file on the client machine to resolve to the correct IP. Please see the attached PDF guide titled "S-037242 - DNS Host Name Resolution.pdf"
  • If the vault login type is set to "Windows Login" then the remote user will likely not have a domain login name or may not be able to contact the Domain Controller through the VPN. If this is the case, you will have to create a local Windows account on the Archive Server for this non-domain user, and then add it to the Windows Login settings for the vault through the Archive Server Configuration Manager.
  • The VPN may have added-security measures such as encryption, which may limit the throughput when compared to being on the LAN. This, in addition to the natural effect of bandwidth and latency while working remotely, will have an impact on the overall performance of PDM.

 

(S-013275) How are users added from other domains in the SOLIDWORKS PDM Professional Archive Server Configuration Manager when defining the Windows login type?

In order to add users from another domain when using Windows® Logins in SOLIDWORKS® PDM Professional, create a new local Windows group on the archive server and add users or groups from the other domain to this local group. Once done, add the local group to the Windows login settings (or attach/administrative access settings) via the archive server configuration tool.

Before users can be added to the local group on the archive server, the system administrator must create domain trusts. The primary domain will need to trust the secondary domain where the users are accredited. Domain administrators on both domains will need to create the trusting relationship (even for a one-way trust). It is recommended to have a two-way trust setup.

Once the domain trusts are established there are different group types that will likely be created (may differ depending on Active Directory configuration):

  • A global group in the trusted domain for adding users.
  • A universal group to which the global group(s) would be added.
  • A domain local group where the resources are located. The universal group would be added to this group. This provides the links for users from one domain to another.

After the trusts are created it should be possible to create explicit permissions by individual, but this is not a recommended practice.

Read more about creating Active Directory domain trusts in the Windows server documentation.

The enquirer should seek the services of a qualified MCSE systems administrator as this is a question of systems administration.

 

Configuring SOLIDWORKS PDM for use with Active Directory

 

(S-037838 / S-028869) How are servers and users moved from one Active Directory domain to another, and how will that affect existing PDM file vaults using a Windows login type?

In most cases, changing domains will not affect existing users in the Vault which is using the Windows login type, provided that the new domain contains the same Active Directory logins.

If the login names do not perfectly match between the new and old domains (for example: "DOMAIN-1\JohnDoe" and "DOMAIN_2\JohnD") you will need to either add them as new users through the Administration Tool, or manually update the database table "Users" with the new logins.

Please see our comprehensive guide at the link below:

SOLIDWORKS PDM: Changing Domains

 

(S-043890 / S-028869) Is it possible to reconfigure the Archive Server to switch from SOLIDWORKS PDM logins to Windows Domain logins?

Yes, as long as the exact same user and group names are used for the SOLIDWORKS PDM and Windows logins. The file vault database will not be affected by the change. Please note that the associated passwords do not have to be the same.

Files that are checked out by a SOLIDWORKS PDM user can be checked in using a Windows login of the same name.

If the names are NOT the same, please refer to the attached PDF guide:

"How to change an existing Enterprise PDM user name to match a Windows login name"

 

Is it possible to reconfigure the Archive Server to switch from Windows Domain logins to SOLIDWORKS PDM logins?

Yes, you can simply change the login type to 'SOLIDWORKS PDM' in the Archive Server Configuration Manager and then update each Window User's password in the Administration Tool.

NOTE: You MUST update the passwords by double-clicking each user and then clicking "Set Password..." Right-clicking user entries and selecting "Change password..." does NOT work properly in this situation.

 

(SPR-622282) How can email addresses be pulled from Active Directory when adding users in the Administration tool?

Due to a critical bug which remains open as of SOLIDWORKS 2019 SP 0, when adding users through the Administration Tool, their associated email address may not be pulled from Active Directory.

Please note that this bug could be fixed in a later service pack. Please check the status of the SPR in the official SOLIDWORKS Knowledge Base if you're attempting this process on a later version.

As a workaround, instead of using "List Users" to select the users, add the user by right-clicking the users node and selecting "New User". Then type their login name in the format: DOMAIN\USERNAME.

As another workaround, you can use the "Import from Active Directory..." option, found by right-clicking "Groups" in the Administration Tool.

 

If you have any questions regarding the information above, please contact Hawk Ridge Systems Technical Support 

 

 

Was this article helpful?
2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.