4 Replies Latest reply on Apr 29, 2016 6:25 AM by JensPr

    Crawler not starting + IsConnected=false

    JensPr

      Hi there,

      we managed to get PI Web API installed on one of our servers. It is in the same domain as our PI server.

      Though I can access the PI Web API buy the browser (IE) there is something strange with the crawler:

       

      When I add the PI system as a database, it does accept it, but there does not show up a green checkmark on the tile representing the database.

      Also it does not start to crawl and I have no idea why. It says "Not yet crawled" forever. :-(

      We looked at the services (Web API + Crawler) and they are both up and running.

       

      What can we do to tackle this problem? I watched the help files video, but these did not lead me to success. What could I have overseen?!

       

      My local IT and me run out of ideas. If anyone can give us some hints to troubleshoot, that would be very nice.

       

      Two more information: I am pretty sure that we have Kerberos and used an PI admin account to log into the web page. Second: When we go to the home page of the Web API there is an entry in that servers information stating "Isconnected=false"
      Could this be part of the problem?

        • Re: Crawler not starting + IsConnected=false
          Marcos Vainer Loeff

          Hi Jens,

           

          What I suggest you to do is to solve PI Web API first and then check if PI Coresight works properly.

           

          There are lot of issues when customers try to crawl new databases because although PI Web API works with Anonymous, Basic and Kerberos authentication methods, you must be using Kerberos only in order to crawl or rebuild an AF database or PI Data Archive. Once the database has been crawled, you do not need Kerberos in order to be able to search. Anonymous and Basic Authentication methods can also be used to search.

           

          Therefore, the first step is to open PI System Explorer and go to the Configuration database. Find the System Configuration element of your PI Web API instance. It should be under OSIsoft\PI WebAPI. Check the value of the AuthenticationMethods and make sure “Kerberos” is the only option available. Make sure to check in your changes.

          You can use the link below in order to make sure that PI Web API has picked up the changes:

           

          https://your-web-server-name/piwebapi/system/configuration

           

          Make sure that Kerberos is well configured on the domain controller including delegation. Also, check if PI Web API and PI Web API Search crawler services have privileges to access the PI System resources. Before trying to rebuild the crawler, make sure the core services of PI Web API are running properly with Kerberos only.

           

          The next step is to check the SSL certificate. Is it a valid one?  Is it a self-signed certificate? Have you trusted the certificate in the client?

           

          Another ideas is to check the logs:

           

          • PI Web API logs through Windows Event Viewer on the web server running PI Web API
          • PI Message Log on the PI Data Archive you are trying to crawl
          • AF logs on the Windows Event Viewer on the PI AF Server whose AF database you are trying to crawl

           

          Hope this helps!

            • Re: Crawler not starting + IsConnected=false
              JensPr

              This is awesome good advice.. Thank you so much so far...

              We will check out all your recommendations tomorrow when IT is back.

               

              So far we are at the point to make sure that delegation works and the proper user is forwarded to the PI data server.

              As far as I understand: It is the user that has been authenticated that is been forwarded and the serviceaccount the pi web api crawler runs on forwards (delegates) it to the pi server?!

               

              In our case the situation is really complicated: Pi server is in domain A, web api there too. But user comes from another (B) domain and that one has no trust relationship.. thus the server the pi web api runs on can not authenticate the user... or the user has to provide credentials for a Domain A user.

               

              (You see where this is going, especially when the server we are building our web app on is even on another Domain.. so we we have Domain A,B,C.. so after Kerberos-Crawl has run we go back to anoynmous for a while.)

                • Re: Crawler not starting + IsConnected=false
                  Marcos Vainer Loeff

                  Hi Jens,

                   

                  Without a domain trust, Kerberos won't work. You will have to use Basic but as I told you, you cannot crawl a database using Basic authentication.

                   

                  Here is what I suggest you to do:

                   

                  - Change the AuthenticationMethods to Kerberos

                  - Set up Kerberos properly within domain A

                  - Crawl all the databases you want, using any client from domain A

                  - Change the AuthenticationMethods back to Basic so all client from the other domains can access PI Web API

                   

                  All of your clients will be able to use the search using Basic authentication. But if you need to crawl a new database or rebuild an existing one, you will have to follow this procedure again.

                   

                  Hopefully, on upcoming releases of PI Web API, we will have a better solution for your use case.

                  3 of 3 people found this helpful
                    • Re: Crawler not starting + IsConnected=false
                      JensPr

                      Thank you so much for these straight forward instructions.

                       

                      One final question: What if we set to anonymous authentication instead of basic? Would that work?

                      My question then is, which user account is delegated by the PI web api service to the PI server?

                       

                      .. and with Basic authentication, is then username/password forwarded and we have to configure this as an extra user on the PI server?