Add MFA to Schneider Electric EcoStruxure™ Geo SCADA

Schneider Electric EcoStruxure™ Geo SCADA does not natively support MFA. In addition to its proprietary authentication capability the system does support LDAP authentication.

To add MFA to Geo SCADA, you will need to install the SurePassID LDAP gateway and configure Geo SCADA to use the new LDAP v3 authentication. LDAP v3 authentication requires Geo SCADA version 2021 (v84) as of the May 2022 update or later. All prior versions will not work. 

You can use the links below download, install, and configure SurePassID LDAP Gateway. 

SP LDAP documentation:

SP LDAP download:

It is recommended that if you have any questions about configuring Geo SCADA for external authentication, we recommend reviewing the Geo SCADA documentation or contacting tech support at Schneider Electric for more information and guidance. 

As of todays writing you will then need to make the following changes to Geo SCADA. 

1. Update the Geo Scada Registry to make external LDAP v3 authentication an option:

“There are five new registry values in HKLM\SOFTWARE\Schneider Electric\ClearSCADA\DB:

  • LDAPBindingDN - STRING - The username that is used to create a DN to use for binding. There are two options based on the  SurePassID LDAP Gateway TargetDirectory setting TargetDirectory=ActivityDirectory - Set this value to {username}.
    TargetDirectory=LDAP - Set this value to valid LDAP distinguished name and you must set "pre-append CN={username}. For example: 
    “CN={username},OU=Users,DC=yourco,DC=com” and then logging as on user "John K" would attempt to bind using DN “CN=John K,OU=Users,DC=yourco,DC=com”. 
  • LDAPAuthenticationMethod - DWORD - Set to 0x80.
  • LDAPSupplyCredentials - STRING - Set to “True” 
  • LDAPProtocolVersion - DWORD  - Set to 0x80.
  • LDAPEncryptAndSign- STRING - Set to “False” 

Note that in (unreleased) 2022 (v85) the LDAP protocol version can also be configured via the server config tool. The other options currently remain registry-only.

Sample LDAP registry settings:

Geo SCADA registry entries-1

2. Use Geo SCADA Admin Tool to configure external authentication

Review GeoSCADA documentation 

3. Use GeoSCADA ViewX Tool to configure certain users for external authentication

Review Geo SCADA documentation