AnsweredAssumed Answered

How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?

Question asked by AniketAmrutkar on Nov 17, 2016
Latest reply on Nov 28, 2016 by gregor

Like • Show 0 Likes0
Comment • 11

Hi Guys,

I am working on Pi Web API integration.

I am using basic authentication without any problem through my node js code.

Now I want to support kerberos authentication. I have make changes in system explorer to support "Kerberos" authentication.

I am using Google Chrome on MacBook. After making Kerberos related changes, I am not able to login into piwebapi using my browser. getting error : "Authorization has been denied for this request."

However If I try to login from Windows box using chrome browser I can login. Getting following response in /piwebapi/system/configuration :

{

"AuthenticationMethods": [

"Kerberos"

"CorsExposedHeaders": "Allow,Content-Encoding,Content-Length,Date,Location",

"CorsHeaders": null,

"CorsMethods": "GET,OPTIONS",

"CorsOrigins": null,

"CorsSupportsCredentials": false,

"DisableWrites": false,

"MaxReturnedItemsPerCall": 1500000,

"SearchBoosts": [

1.0,

0.8,

0.5,

0.5

"SearchPointAttributes": [

"pointsource",

"instrumenttag",

"location1",

"exdesc"

"SearchScanInterval": 180

}

===========================================================================

I am having two questions :

1. How can I login into Pi Web API from macbook? I visited following article for help but it did not help : https://techsupport.osisoft.com/Troubleshooting/KB/KB01223

2. I am working on integrating Pi Web api , writing code in nodejs.. I am not sure which libraries to use and what approach to take.

I tried using (https://www.npmjs.com/package/node-krb5)

--------- Code Snippet ----------

-------------------------------

Getting following error :
Error: unable to reach any KDC in realm <server-address>, tried 0 KDCs

Can you please help me in this

v.alves

Nov 28, 2016 12:52 PM

Correct Answer

This is the same issue I ran into Aniket Amrutkar.

From blogs and google I have found some posts ( e.g.: Cross-origin Resource Sharing (CORS) and Kerberos (webserver auth) - Giix), but I could not find a solution to that.

As far as I understand, this happens due to some specifities of Kerberos authentication, and perhaps it is necessary to add some library capable of handling it.

See the reply in context

No one else had this question

Outcomes

Marcos Vainer Loeff

Nov 17, 2016 3:36 PM

Hello Aniket,

According to this article, Kerberos authentication can be used from a Mac OS X workstation with Chrome. I've never tried to do this, but I suppose it should work. If you search on the web, you should find many articles about it.

But before doing so, I would first make sure Kerberos works fully on Windows. Make sure that you can get data from the PI Data Archive and PI AF Server as well.

Please refer to this video to set up Kerberos on your domain.

Please let me know if this works for you!

Actions

AniketAmrutkar @ Marcos Vainer Loeff on Nov 24, 2016 10:56 AM

Hello Marcos,

I check on my windows machine I am getting the PI archive data back. I think Kerberos is working properly on my pi web API machine.
I am not sure how to access this from outside ?

I am getting following error when I do : kinit dev-win12@<my sevrer>

Error :

kinit: krb5_get_init_creds: unable to reach any KDC in realm <my server>, tried 0 KDCs

Not sure where to start KDC ? How to map it. I have change my authentication strategy to Kerberos. Nothing else.

Also, I am still trying to write nodejs code which will be able to communicate with pi web API over Kerberos.

Can someone please help me in solving this problem.

Actions

gregor

@ AniketAmrutkar on Nov 24, 2016 12:53 PM

Hello Aniket,

Instead of attempting to explain Kerberos authentication with my own words, I prefer using some resources that offer very detailed information:

Let's start looking at the client side requirements ..

Is your 'outside' Mac OS X workstation member of your Windows domain?

Is the user logged on to the workstation a domain user?

Can your workstation communicate to the KDC?

Actions

AniketAmrutkar @ gregor on Nov 24, 2016 1:06 PM

Hi Gregor,

Thanks for the links. I will go through them.

My Setup is :
1. PI Web API Service is running on Azure Box.
2. On Different server my node js server is running on ubuntu. It is mapped to public url. I am accessing this server from mac

Actions

gregor

@ AniketAmrutkar on Nov 24, 2016 2:42 PM

Hi Aniket,

Which of these machines is member of your domain?

Actions

AniketAmrutkar @ gregor on Nov 25, 2016 6:10 AM

Hi Gregor,

Please ignore my previous post. It was sent by mistake.

Thanks for the links. I will go through them.

My Setup is :
1. PI Web API Service is running on Azure VM Box.
2. On the Different server, my node js server is running on ubuntu. It is mapped to public URL. I am accessing this server from MacBook.
3. I want to connect Pi web API from this server. Basic Authorization works properly here. Now I want to support Kerberos.
4. None of the machines are members of the domain.
5. I am able to access Pi Web API from any other windows machine which is connected to the internet.

Actions

gregor

@ AniketAmrutkar on Nov 25, 2016 1:24 PM

Hello Aniket,

Kerberos requires all involved machines being member of the same or a trusted domain. If none of your machines is member of a Windows domain, authentication based on Kerberos is not available for you.

Actions

v.alves

@ gregor on Nov 28, 2016 12:30 PM

Hi Gregor,

Considering a situation where the PI Web API is member of a domain (the same one of AF Server, Data Historian and PI Environment).

Is it possible to access the PI Web API from outside the domain? I was able to do so using the browser, when I access the PI Web API url it prompts for log on info and I am able to access the services.

But when I try to do that programatically it issues me a 401 error, even if I try to provide credentials.

Have you ever tried to do that? It seems to me that this situation is very similar to what Aniket Amrutkar is facing.

Actions

AniketAmrutkar @ v.alves on Nov 28, 2016 12:40 PM

Hi Vinícius / Gregor,

From outside the domain, using windows machine I am able to login, but not programmatically I am not able to login.

Actions

v.alves

@ AniketAmrutkar on Nov 28, 2016 12:52 PM

This is the same issue I ran into Aniket Amrutkar.

From blogs and google I have found some posts ( e.g.: Cross-origin Resource Sharing (CORS) and Kerberos (webserver auth) - Giix), but I could not find a solution to that.

As far as I understand, this happens due to some specifities of Kerberos authentication, and perhaps it is necessary to add some library capable of handling it.

Actions

gregor

@ v.alves on Nov 28, 2016 1:44 PM

Hello Aniket and Vinicius,

You can verify with the PI Web API Debug log what credentials are provided by the client and what authentication method is used:

Start Windows Event Viewer
Select [View] and make sure [Show Analytic and Debug Logs] is checked.
Under [Applications and Service Logs], locate [PIWebAPI] and expand the child nodes
Right click [Debug] and chose [Enable Log]
Attempt to connect to PI Web API, refresh the Debug Log and check the message details.
Please make sure to [Disable Log] again when you are done.

If you suspect an issue with CORS, please refer to PI Web API 2016 R2 User Guide -> PI Web API Configuration -> Configuration at runtime -> Cross-Origin Resource Sharing. The settings can be found in the Configuration database in Asset Framework under OSIsoft -> PI Web API -> <YourPIWebAPIHostName> -> System Configuration (see Attributes with names CorsXxxx).

Actions

11 Replies

Marcos Vainer Loeff Nov 17, 2016 3:36 PM
Mark Correct
Correct Answer
Hello Aniket,

According to this article, Kerberos authentication can be used from a Mac OS X workstation with Chrome. I've never tried to do this, but I suppose it should work. If you search on the web, you should find many articles about it.

But before doing so, I would first make sure Kerberos works fully on Windows. Make sure that you can get data from the PI Data Archive and PI AF Server as well.

Please refer to this video to set up Kerberos on your domain.

Please let me know if this works for you!
Like • Show 0 Likes0
Actions
- AniketAmrutkar @ Marcos Vainer Loeff on Nov 24, 2016 10:56 AM
  Mark Correct
  Correct Answer
  Hello Marcos,
  
  I check on my windows machine I am getting the PI archive data back. I think Kerberos is working properly on my pi web API machine.
  I am not sure how to access this from outside ?
  
  I am getting following error when I do : kinit dev-win12@<my sevrer>
  
  Error :
  kinit: krb5_get_init_creds: unable to reach any KDC in realm <my server>, tried 0 KDCs
  
  Not sure where to start KDC ? How to map it. I have change my authentication strategy to Kerberos. Nothing else.
  
  Also, I am still trying to write nodejs code which will be able to communicate with pi web API over Kerberos.
  
  Can someone please help me in solving this problem.
  Like • Show 0 Likes0
  Actions
  - gregor @ AniketAmrutkar on Nov 24, 2016 12:53 PM
    Mark Correct
    Correct Answer
    Hello Aniket,
    
    Instead of attempting to explain Kerberos authentication with my own words, I prefer using some resources that offer very detailed information:
    
    How the Kerberos Version 5 Authentication Protocol Works
    Explain like I’m 5: Kerberos
    short note on Kerberos
    
    Let's start looking at the client side requirements ..
    Is your 'outside' Mac OS X workstation member of your Windows domain?
    Is the user logged on to the workstation a domain user?
    Can your workstation communicate to the KDC?
    Like • Show 0 Likes0
    Actions
    - AniketAmrutkar @ gregor on Nov 24, 2016 1:06 PM
      Mark Correct
      Correct Answer
      Hi Gregor,
      
      Thanks for the links. I will go through them.
      
      My Setup is :
      1. PI Web API Service is running on Azure Box.
      2. On Different server my node js server is running on ubuntu. It is mapped to public url. I am accessing this server from mac
      Like • Show 0 Likes0
      Actions
      - gregor @ AniketAmrutkar on Nov 24, 2016 2:42 PM
        Mark Correct
        Correct Answer
        Hi Aniket,
        
        Which of these machines is member of your domain?
        Like • Show 0 Likes0
        Actions
        AniketAmrutkar @ gregor on Nov 25, 2016 6:10 AM
        Mark Correct
        Correct Answer
        Hi Gregor,
        Please ignore my previous post. It was sent by mistake.
        
        Thanks for the links. I will go through them.
        
        My Setup is :
        1. PI Web API Service is running on Azure VM Box.
        2. On the Different server, my node js server is running on ubuntu. It is mapped to public URL. I am accessing this server from MacBook.
        3. I want to connect Pi web API from this server. Basic Authorization works properly here. Now I want to support Kerberos.
        4. None of the machines are members of the domain.
        5. I am able to access Pi Web API from any other windows machine which is connected to the internet.
        Like • Show 0 Likes0
        Actions
        gregor @ AniketAmrutkar on Nov 25, 2016 1:24 PM
        Mark Correct
        Correct Answer
        Hello Aniket,
        
        Kerberos requires all involved machines being member of the same or a trusted domain. If none of your machines is member of a Windows domain, authentication based on Kerberos is not available for you.
        Like • Show 0 Likes0
        Actions
        v.alves @ gregor on Nov 28, 2016 12:30 PM
        Mark Correct
        Correct Answer
        Hi Gregor,
        Considering a situation where the PI Web API is member of a domain (the same one of AF Server, Data Historian and PI Environment).
        Is it possible to access the PI Web API from outside the domain? I was able to do so using the browser, when I access the PI Web API url it prompts for log on info and I am able to access the services.
        But when I try to do that programatically it issues me a 401 error, even if I try to provide credentials.
        Have you ever tried to do that? It seems to me that this situation is very similar to what Aniket Amrutkar is facing.
        Like • Show 0 Likes0
        Actions
        AniketAmrutkar @ v.alves on Nov 28, 2016 12:40 PM
        Mark Correct
        Correct Answer
        Hi Vinícius / Gregor,
        From outside the domain, using windows machine I am able to login, but not programmatically I am not able to login.
        Like • Show 0 Likes0
        Actions
        v.alves @ AniketAmrutkar on Nov 28, 2016 12:52 PM
        Unmark Correct
        Correct Answer
        This is the same issue I ran into Aniket Amrutkar.
        From blogs and google I have found some posts ( e.g.: Cross-origin Resource Sharing (CORS) and Kerberos (webserver auth) - Giix), but I could not find a solution to that.
        As far as I understand, this happens due to some specifities of Kerberos authentication, and perhaps it is necessary to add some library capable of handling it.
        Like • Show 0 Likes0
        Actions
        gregor @ v.alves on Nov 28, 2016 1:44 PM
        Mark Correct
        Correct Answer
        Hello Aniket and Vinicius,
        
        You can verify with the PI Web API Debug log what credentials are provided by the client and what authentication method is used:
        
        Start Windows Event Viewer
        Select [View] and make sure [Show Analytic and Debug Logs] is checked.
        Under [Applications and Service Logs], locate [PIWebAPI] and expand the child nodes
        Right click [Debug] and chose [Enable Log]
        Attempt to connect to PI Web API, refresh the Debug Log and check the message details.
        Please make sure to [Disable Log] again when you are done.
        
        If you suspect an issue with CORS, please refer to PI Web API 2016 R2 User Guide -> PI Web API Configuration -> Configuration at runtime -> Cross-Origin Resource Sharing. The settings can be found in the Configuration database in Asset Framework under OSIsoft -> PI Web API -> <YourPIWebAPIHostName> -> System Configuration (see Attributes with names CorsXxxx).
        Like • Show 0 Likes0
        Actions

How to support Pi Web API "Kerberos Authentication" using nodejs/javascript?

Outcomes

Related Content

Recommended Content

Incoming Links