Message was edited by: Jarita Sirois (Removed information that was sensitive.)
If you have access to the PI Server, you should check the message logs there. They will reveal why the connection was not accepted.
Easiest way to check is to connect to the PI Server with SMT and then check the logs from Operation > Message Logs.
Please check this KB article: KB00865 - Trusts for PI Interfaces
Our recommendation is to use the more secure trusts explained in the document. This means using your application name in addition to other parameters in the trust.
Hope this helps,
I am just curious. If you want to connect to the PI Server using PI Trusts, why do you need to type the username and password?
It seems that you are using PI API to connect to the PI Data Archive. If you plan to rewrite your application, we recommend using PI AF SDK with WIS (Windows Integrated Security) to connect to the PI Data Archive instead of PI Trusts. That is for sure a better solution to secure your environment.
We are currently using the PI API to connect to a PI server, however we are having a few authentication issues. We are able to connect to the PI Server by lowering the system security from ‘Disable explicit login’ to ‘Disable explicit login for piadmin’ (See image below), however this disables active directory security to the PI Server.
Is there any way we can allow exceptions for our application to connect without disabling the active directory security?
Or force a pass through of active directory credentials to allow connection?
Does "Disabling the active directory security" mean that client machines don't connect by PI Mapping?
If so, it depends on protocol order.
You can check it from client machine's About PI SDK (PI SDK Utility) > Connections > Options
If the above one is Default User in Protocol order, then the client machine try explicit login.
With "Disable explicid login" settings, it is not possible to use explicit login from the custom application.
We have a PI-API based custom application which we develop. our issue is we cannot connect to our PI Server with Disable Explicit login is enabled. we have tried to create a PI trust on it but it also failed to connect. this is the error on PI SMT:
Message ID = 7054, which contains text "No trust established for: <identifyingString>. Explicit login is required for access " Message ID = 7140, which contains text "Timeout expired for unauthenticated API Connection. would able to give us a solution?
Message ID 7054 means that your trust configuration is not picked up by the connecting application. Try removing some parameters to the trust and connect your application again. Once you succeeded to connect you may go to the Network Manager statistics pane in PI SMT and look at the connection details, that will help you to see the incoming connection parameters and you can copy paste them in your trust configuration to make it more secure once you have connected already once.
Configuring a trust must be done in an iterative way, otherwise it may be difficult: start simple ( i.g only with single IP address and network mask 255.255.255.255 ) and create a first connection. Use the info from PI Network manager to make it more secure. (KB00865 - Trusts for PI Interfaces)
Keep an eye on PI Server Message Logs each time you try to connect, that will tell you what is happening.
Hope this helps,
Explicit logons are disabled by default.
This policy stems from security alert AL00206 in 2009. In short, the PI password authentication method is not secure.
Security Alert: PI Authentication Weakness
Retrieving data ...