-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
Marcos Vainer LoeffNov 17, 2016 3:36 PM (in response to AniketAmrutkar)
Hello Aniket,
According to this article, Kerberos authentication can be used from a Mac OS X workstation with Chrome. I've never tried to do this, but I suppose it should work. If you search on the web, you should find many articles about it.
But before doing so, I would first make sure Kerberos works fully on Windows. Make sure that you can get data from the PI Data Archive and PI AF Server as well.
Please refer to this video to set up Kerberos on your domain.
Please let me know if this works for you!
-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
AniketAmrutkar Nov 24, 2016 10:56 AM (in response to Marcos Vainer Loeff)Hello Marcos,
I check on my windows machine I am getting the PI archive data back. I think Kerberos is working properly on my pi web API machine.
I am not sure how to access this from outside ?I am getting following error when I do : kinit dev-win12@<my sevrer>
Error :
kinit: krb5_get_init_creds: unable to reach any KDC in realm <my server>, tried 0 KDCs
Not sure where to start KDC ? How to map it. I have change my authentication strategy to Kerberos. Nothing else.
Also, I am still trying to write nodejs code which will be able to communicate with pi web API over Kerberos.
Can someone please help me in solving this problem.-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
gregorNov 24, 2016 12:53 PM (in response to AniketAmrutkar)
Hello Aniket,
Instead of attempting to explain Kerberos authentication with my own words, I prefer using some resources that offer very detailed information:
- How the Kerberos Version 5 Authentication Protocol Works
- Explain like I’m 5: Kerberos
- short note on Kerberos
Let's start looking at the client side requirements ..
Is your 'outside' Mac OS X workstation member of your Windows domain?
Is the user logged on to the workstation a domain user?
Can your workstation communicate to the KDC?
-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
AniketAmrutkar Nov 24, 2016 1:06 PM (in response to gregor)Hi Gregor,
Thanks for the links. I will go through them.
My Setup is :
1. PI Web API Service is running on Azure Box.
2. On Different server my node js server is running on ubuntu. It is mapped to public url. I am accessing this server from mac-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
gregorNov 24, 2016 2:42 PM (in response to AniketAmrutkar)
Hi Aniket,
Which of these machines is member of your domain?
-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
AniketAmrutkar Nov 25, 2016 6:10 AM (in response to gregor)Hi Gregor,
Please ignore my previous post. It was sent by mistake.
Thanks for the links. I will go through them.
My Setup is :
1. PI Web API Service is running on Azure VM Box.
2. On the Different server, my node js server is running on ubuntu. It is mapped to public URL. I am accessing this server from MacBook.
3. I want to connect Pi web API from this server. Basic Authorization works properly here. Now I want to support Kerberos.
4. None of the machines are members of the domain.
5. I am able to access Pi Web API from any other windows machine which is connected to the internet.-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
gregorNov 25, 2016 1:24 PM (in response to AniketAmrutkar)
Hello Aniket,
Kerberos requires all involved machines being member of the same or a trusted domain. If none of your machines is member of a Windows domain, authentication based on Kerberos is not available for you.
-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
v.alvesNov 28, 2016 12:30 PM (in response to gregor)
Hi Gregor,
Considering a situation where the PI Web API is member of a domain (the same one of AF Server, Data Historian and PI Environment).
Is it possible to access the PI Web API from outside the domain? I was able to do so using the browser, when I access the PI Web API url it prompts for log on info and I am able to access the services.
But when I try to do that programatically it issues me a 401 error, even if I try to provide credentials.
Have you ever tried to do that? It seems to me that this situation is very similar to what Aniket Amrutkar is facing.
-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
AniketAmrutkar Nov 28, 2016 12:40 PM (in response to v.alves)Hi Vinícius / Gregor,
From outside the domain, using windows machine I am able to login, but not programmatically I am not able to login.
-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
v.alvesNov 28, 2016 12:52 PM (in response to AniketAmrutkar)
This is the same issue I ran into Aniket Amrutkar.
From blogs and google I have found some posts ( e.g.: Cross-origin Resource Sharing (CORS) and Kerberos (webserver auth) - Giix), but I could not find a solution to that.
As far as I understand, this happens due to some specifities of Kerberos authentication, and perhaps it is necessary to add some library capable of handling it.
-
Re: How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?
gregorNov 28, 2016 1:44 PM (in response to v.alves)
Hello Aniket and Vinicius,
You can verify with the PI Web API Debug log what credentials are provided by the client and what authentication method is used:
- Start Windows Event Viewer
- Select [View] and make sure [Show Analytic and Debug Logs] is checked.
- Under [Applications and Service Logs], locate [PIWebAPI] and expand the child nodes
- Right click [Debug] and chose [Enable Log]
- Attempt to connect to PI Web API, refresh the Debug Log and check the message details.
- Please make sure to [Disable Log] again when you are done.
If you suspect an issue with CORS, please refer to PI Web API 2016 R2 User Guide -> PI Web API Configuration -> Configuration at runtime -> Cross-Origin Resource Sharing. The settings can be found in the Configuration database in Asset Framework under OSIsoft -> PI Web API -> <YourPIWebAPIHostName> -> System Configuration (see Attributes with names CorsXxxx).
-
-
-
-
-
-
-
-
-