ONVIF Security questions

I’m trying to set up the ONVIF Bridge on a Milestone Server (Corporate, v 2016 R3). I am reading the ONVIF Bridge Getting Started Guide (both 2016 R3 and 2017 R3), and some things are unclear to me.

1. The Guide says, on page 7, “Milestone recommends that you create and add a dedicated user account for the Milestone ONVIF Bridge, and for each ONVIF client, as follows:”. Does that mean you need different credentials for the Bridge and each client, or that you only need 1 user/password that everybody uses? I can only get it to work if I use the same credentials everywhere.
2. The Guide also says "In the Management Client, assign the user to a role that can access cameras, and specify permissions for the ONVIF Bridges security group on the Overall Security tab for the role. ". There are two problems here. First, the Guide is telling you to do this before ONVIF Bridge is installed. There is no ONVIF Bridge security group before ONVIF is installed! The second problem is that it is incredibly vague. Exactly what permissions do I need to set on the role? Don’t make us guess! So far, the only way I have been able to get it to work is to put the Bridge user in the Administrators group.

I have had a discussion on Onvif user setup in another thread, perhaps you will find it useful. https://developer.milestonesys.com/s/question/0D50O00003ODqDHSA1/onvif-bridge-live-stream

Hi Mark,

I think Bo’s link contains answers you need.

Nevertheless I’ll try to explain them also.

“Does that mean you need different credentials for the Bridge and each client ?”

No. You don’t. But you can.

"Or that you only need 1 user/password that everybody uses? "

No. You don’t. But you can.

“I can only get it to work if I use the same credentials everywhere.”

Seems like misconfiguration.

Have you added additional ONVIF users in the ONVIF Bridge settings ?

“There are two problems here. First, the Guide is telling you to do this before ONVIF Bridge is installed. There is no ONVIF Bridge security group before ONVIF is installed!”

I have to admit there are some inaccuracies in the manual.

You can create the role before the ONVIF Bridge is installed. And configure users in the ONVIF Bridge settings afterwards.

“The second problem is that it is incredibly vague. Exactly what permissions do I need to set on the role?”

It depends if the user which will be used to connect ONVIF Bridge to the Corporate will be the same/used for connection between ONVIF Clients and the ONVIF Bridge.

For the user ONVIF Bridge → Corporate you should allow at least Read and System Monitor of Management Server as well as Read and Edit of System Monitor.

For the users ONVIF Client → ONVIF Bridge should be allowed at least Read, View Live, Playback, Read sequences, Manual PTZ and Activate PTZ presets of Cameras as well as selected particular cameras that the user will have access to.

Most of the customers use member of Administrators group user for connection ONVIF Bridge → Corporate.

And create different role only for users used between ONVIF Clients and ONVIF Bridge.

Some of them however make exactly what you’ve done - for simplicity they use one and the same user for everything, which is part of the Administrators role.

Thanks Petar, that helped a little.

I created a role for the Bridge-to-Corporate authentication and gave it the permissions you listed for both types of users. When I went to add specific camera permissions, the pertinent checkboxes were already checked and disabled. I added a user to the role. This user worked when used in the Bridge client. I’m surprised that it needed no permissions from the ONVIF Bridges security group.

I created another role for the client-to-Bridge authentication, and gave it only the permissions you listed for client-to-Bridge users. I created a user and added it to the role. The role has Read, View Live, Playback, and Read sequences permissions on all cameras. When I used this user in the Bridge client, it did not work: it stopped when it couldn’t get authorization for the Describe message.

So what other permissions to client-to-bridge users need to have? Currently, it has only permissions from the Camera security group. And those options are checked for all cameras.

Hi Mark,

Have you added the client-to-bridge users in the ONVIF Bridge management pug-in settings page ?

ONVIF Bridge User settings616×480 71.7 KB

Also are you able to login with those user trough the Smart Client and view those cameras ?

That’s the problem! I can’t get to that page.

When I click on ONVIF Bridges under the Servers node in Site Navigation, I get an ONVIF Bridges window next to it as above. However, the only thing in the window is a tree node named ONVIF Bridges. When I right-click on that node, all I get is a menu with only Refresh in it. There is no “Add Bridge” as the documentation suggests.

I am logging as a Windows user (current user). My Windows user is an Administrator on the machine, so I should automatically be an Administrator in the Management Client. And in fact, I can do anything an Admin can do, except add new Bridges.

The ONVIF Bridge is installed on the same machine as the all-in-one Milestone server.

I don’t know what to do about this.

And yes, my BridgeClient user can log in to Smart Client and view all the cameras.

Hi Mark,

You are right. In this way ONVIF Bridge cannot register itself as a VMS system service and therefore you could not “Add Bridge” from the tree context menu.

I should correct myself in previous post:

“Read and System Monitor of Management Server” should be “Read, Edit and System Monitor of Management Server”.

User right for “Edit” is the key point here.

Please also bear in mind that when you add afterwards ONVIF Client users, you should specify username and password in the ONVIF Bridge Management plug-in settings. The tricky part is that credentials entered are not checked in any way, so if they are not correct, settings will be accepted, but those users won’t work afterwards. (Not best UX I have to admit …)

I added the Edit Management Server permission for my OnvifRunners role and restarted the Onvif server and Management Client. There is still no “Add Bridge” menuitem in the context menu for Onvif Bridges.

Just for grins, I tried logging in as my dedicated BridgeUser. In that scenario, Onvif Bridges doesn’t even appear in the Servers node.

I put my dedicated BridgeUser in the Administrators group, and restarted the Onvif server and Management client. There is still no “Add Bridges” menuitem.

One note: I was getting extremely inconsistent results trying to view camera streams with Onvif Device Manager when ODM was not running on the Milestone server. After reading a bunch of posts about that, I installed the latest version of Onvif Bridge (2017 R3). That allowed me to reliably view cameras remotely with ODM. But the rest of my Milestone installation is 2016 R3. Could this be part of the problem?

Hi Mark,

I’ve tested the solution with “Edit” user right on my local set-up, before writing the previous answer.

More strange is that it doesn’t work event when you’ve put your ONVIF Bridge server user into the Administrators role.

This should always work !

Btw. you removed the user from the OnvifRunners role first, right ?

What I mean is that if you have one user added to two roles, this could have unpredictable (disliked result). Usually more restrictive one role is used.

Your guess was correct; after I removed the Bridge Server user from the BridgeRunner role and restarted the server, I was able to add a Bridge and add my BridgeClient user to it. The BridgeClient user was able to authenticate.

So I guess if you can’t tell me the permissions my BridgeRunner role needs, we can just use the Administrator role. If we get a customer that balks at that, we can revisit this issue.

I got the BridgeUser to work correctly when a member of only the BridgeRunner role, using the permissions you gave me. My apologies - I’m not sure, but I think I was restarting the wrong Bridge after manipulating Roles and permissions.

Super

I’m glad you were able to make it work.