About Run-As Security Limitations

Some limitations exist with regard to using the SIMULIA Execution Engine station Run-As security feature. These limitations should be reviewed prior to activating the feature.

The following station Run-As security limitations exist:

  • If the SIMULIA Execution Engine’s security realm (or LDAP server) and the SIMULIA Execution Engine station’s security realm are different, the extended grid credentials option must be used when a user logs on to the SIMULIA Execution Engine. This option allows the user to enter a user ID and password for the stations that is different from the credentials used to log on to the SIMULIA Execution Engine. The extended grid credentials option can be enabled using the Connection Profile Editor. For more information on using this tool, see Creating the Connection Profile File.

  • On Windows 7 and Windows 2008 Server, a Run-As station should be started as a service as user LOCAL SYSTEM or LOCAL SERVICE. If a Run-As station is started interactively, it must be started as a user in the Administrators group who has been granted privilege Replace a Process Level Token and must be started by right-clicking and selecting Run as Administrator (or be started from a command window that was started with Run as Administrator). Be aware that there are known problems with the Excel and Word components on Run-As stations on Windows Vista and later—the component will sometimes hang, leaving multiple Excel or Word processes running on the machine. It is recommended that Excel and Word not be run on Run-As stations on Windows Vista or later. Either use an earlier version of Windows, or use a non-Run-As station (see Station-Specific Run-As Behavior and Setting Station-Specific Run-As Options).

  • On Windows, a Run-As station may create 2 substation processes for each user. These substations are created differently so they have different operating system privileges. One is specifically for the OSCommand and Simcode component, and the other is for COM components like Excel and Word. This is necessary because a station spawned one way cannot create Windows Job objects for OSCommand cleanup, and a station spawned the other way cannot create a COM server for Excel or Word. No specific action is required, but be aware that there may be twice as many substation processes as expected. Forcing all Excel and Word components to execute on a non-Run-As station (see previous item) avoids the extra substations on Run-As machines, and also avoids a problem with Excel on Windows Vista and later.