4 of 4 people found this helpful
Yes, this is not only possible, but is how all of the client applications from OSIsoft behave. The same method you use to connect to a local PI System can be used to connect to a remote PI System. The basic examples that come with the AFSDK documentation are a good start with this:
The key thing when connecting to remote servers is that your application has sufficient permissions to access the data you want. There are different ways of handling this, such as passing a NetworkCredential object when you explicitly call PISystem.Connect(), or running your application under specific credentials (like a Windows service running under a domain account for example). I would generally opt for the second of these options so that I don't need to either hardcode credential information, or write additional code to capture current credentials, unless I'm writing an application intended to be used by multiple users.
Please allow me to complement your answer with the maybe obvious. If the code does not include providing specific credentials, the application will attempt authenticating with the credentials of the user executing the process.
Yes, most definitely. I guess this was implied in my response, but perhaps obscured by highlighting service account credentials as an example rather than executing user credentials. Good call Gregor, thanks for bringing that to the fore.
Hi John ,
Thanks for the reply.
I am new to AF SDK and trying to understand how we can connect to a PI Server from a client machine .
I understand from your reply that we can connect to a PI Server from a client machine using Network Credentials.
Using Network Credentials we can pass in the username, password and domain name . But I am not sure where do we mention which server to connect to .
My PI Server / AF Server was installed on the machine 'OSIServer' and the Instance Name is 'AFInstance'
My AF Client Server machine is 'OSIClient' from which I am trying to connect to AFInstance on OSIServer machine . Both the server and the client are in the same network.
I understand we can pass in the username , password and domain infromation . But not sure where I will configure or mention the server to connect to from my client
As I am new to AFSDK , I might be missing some context or knowledge and looking for the ways . Could you please mention the steps if I am missing any information.
Do we need to configure any specific tool / provide specific access on my client machine to connect to the server.
Thanks John for your positive support .
Main thing you need on the client machine is an entry in the Known Servers table for either AF or PI. If you can connect to the required AF server using PI System Explorer on your client machine, and can connect to the PI Data Archive using the PISDK Utility, then no further specific configuration is needed on the client.
In your AFSDK code, you will be working with two object types - a PISystems object, and a PISystem object. The first represents the collection of known PISystems (or AF servers) - this is what you would see in the PI AF Servers list in PI System Explorer. The second object (PISystem) is a specific instance of an AF server. So your initial connection code might look a bit like the following:
var piSystems = new PISystems(); var piSystem = piSystems["MyAFServer"]; piSystem.Connect();
The piSystems variable represents the collection of known AF servers, and the piSystem variable is initialised to a specific server instance. This bit of code could even be shortened to
var piSystem = new PISystems()["MyAFServer"];
Then when you call the Connect() method on your PISystem instance, you can decide whether to pass a NetworkCredential object, or as in the example above, implicitly pass the credentials of the user executing the code.
Hi John ,
Thanks for your reply . I tried different options , had a bit of luck in progressing but not completely able to solve the problem.
Let me explain the example , I am working on
Client App Domain : local , user : alapati
AF Server Domain : data365 , user : dataadmin
As explained above the App Server is in a different domain than the AF Server .
From the AF Server I am able to connect using PI System Explorer and PI SDK Utility
From the Client App Server , I am able to connect using the PI System Explorer . In the PI System Explorer I mentioned the AF Server details and the port , using the windows credentials of AF Server ( data365/dataadmin) I am able to connect to AF Server using client PI System Explorer . From client PI System Explorer , I am able to see the data for element attributes as well .
From the Client App Server , I am not able to connect to PI SDK Utility . I am trying the option Connect as and providing the data365/dataadmin account and password and getting access denied error . When I checked in the log file on the server , I see the following error.
Unsuccessful login ID: 373. Address: 126.96.36.199. Name: PISDKUtility.exe(2208):Method: Explicit Login. Error: [-12001] Name Not Found in PInt, pinetmgr, , , , , , , , , , ,
I tried from my client c# application code to connect and to get values from data archive server.
NetworkCredential credential = new NetworkCredential("dataadmin", "zzzzz" , "data365");
PISystems = new PISystems();
PISystem MySystem = PISystems["osiserver"];
I am able to successfully connect and get the needed database , templates ..etc . from AF Server
But when using the method
IEnumerable<AFValues> values = attributes.Data.RecordedValues(timeRange, AFBoundaryType.Inside, null, false, pageConfig, 0);
I am getting the following error
Windows authentication trial failed because the authentication method was not tried. Trust authentication trial failed because insufficient privilege to access the PI Data Archive.
Using the PI System Management Tool , I created a new Identity and mapped the identitiy to the user on the server domain account . Also created a Trust to allow connections from Client App Server and Provided Domain and User Account . But still when calling the above method (attributes.Data.RecordedValues(timeRange, AFBoundaryType.Inside, null, false, pageConfig, 0); I can check in the server logs instead of the network credentials passed in to connect to the PISystem , the client user details who is running the code is being sent .
In this case I can check in the server log :
7/18/2016 12:28:36.90762 PM, , Information, Unsuccessful login ID: 408. Address: 188.8.131.52. Name: ConsoleApplication3.vshost.exe(41904):remote. Credentials used: local\alapati. Method: Trust. Error: [-10413] No trust relation for this request, pinetmgr, , , , , , , , , , ,
7/18/2016 12:28:36.90746 PM, , Debug, Trust request from: \|alapati|10.1.1.10|ConsoleApplication3.vshost.exe failed: [-10413] No trust relation for this request (0), pibasess,
, , , , , , , , , ,
I tried all differet options but not able to get the values for the attributes using AFSDK , it always sending in local user account instead of Network user details.
I think , I am missing some configuration or some knowledge Gap . Could you please assist in what I am doing wrong here / what I am missing .
Thanks John for your positive support and responses .
1 of 1 people found this helpful
Hi Gavin. Almost correct!
The code is correct for passing network credentials to the AF Server, but the PI Server assumes the current identity in the process. In your case the client node is using the local user 'local\alapati' which must be mapped to an identity on the PI Server.
Hi Charles ,
Thanks for your help , I mapped my domain user to OSISoft user and allowed the Trust Connection from my Server . It is working now .
I am not sure if this is the case but if you are developing a web app with many users with different security privileges on the PI System, you might want to impersonate the user account. PI AF SDK already allows you to do that. Please refer to the ASP.NET MVC 5 with PI AF SDK: Part 2 - Security blog post for more information.
Hope this helps!
Maybe you can create a trust with the PI SMT tool and grant the access to the client machine where is runing your application.