9 Replies Latest reply on Aug 8, 2016 1:27 PM by Marcos Vainer Loeff

    PIWebAPI Kerberos/Basic Authentication




      I have a web application which makes calls to PIWebAPI. It is used in an intranet environment and PIWebAPI is configured as "AuthenticationMethods=Kerberos" which works well.


      There is a need to run the web application from a mobile device which is not domain aware (but VPN connected). When PIWebAPI is setup to "AuthenticationMethods=Basic", the password prompt comes up and I am able to enter my user name and password and access PIWebAPI from the mobile device.


      However, this causes the password prompt to come up on domain aware devices as well which is less than ideal. I have tried with "AuthenticationMethods=Kerberos and Basic" but the password prompt always comes up on domain aware and non domain aware devices.


      Question is, is there a way to fall back on Kerberos on a Domain Aware device and to Basic on a non-domain aware device so that domain connected users are not unnecessarily prompted for their username and password? I am open to code suggestions if it is possible at all. The stack I am working with is ASP.NET MVC, JavaScript.


      Thanks for any pointers in advance.

        • Re: PIWebAPI Kerberos/Basic Authentication
          Kenji Hashimoto

          If you set both Kerberos and Basic authentications for PI Web API, then the authentication that is used depends on client application.

          I remember that Google Chrome could not handle multiple authentications in the header information.

          So if it is difficult to figure it out to use both Kerberos and Basic authentication, then one of the possible way is use 2 machines for PI Web API. (One is for Kerberos, the other one is for Basic authentication)

          Basic authentication's problem is that PI Web API Index searchi crawler could not run by basic authentication.

          For this issue, we have following configuration as CTP(Which means that It is still beta version).


          Indexed Search Shared Index CTP White Paper


          If you use it, Kerberos authentication machine create Indexed search crawler indexed files and the other Basic authentication machine can search index file on Kerberos authentication machine.


          Anyway, I can imagine that you want to achieve it by one PI Web API machine.

          Though it is a little bit tricky to configure both Kerberos/Basic authentications simultaneously.

          1 of 1 people found this helpful
          • Re: PIWebAPI Kerberos/Basic Authentication
            Bryan Owen

            As an alternative, this case is on the fringe for investing in a more modern security approach.  The strategy calls for an external identity provider and VPN-less access.

            • Use ADFS to map external identity to a Windows identity
            • Use Web Application Proxy to transform the external claims token to a Windows token


            In this way access can be limited to just the application without exposing intAD credentials.


            We advocate such a pattern for external access to PI Coresight displays.  The technical approach is viable out of the box for modern browser based applications.  Native mobile apps need to handle the authentication redirects.  ADFS has broad support for external identity providers.  Here is a reference to the hints last presented at the UC 2015 in Prague.


            5 of 5 people found this helpful
            • Re: PIWebAPI Kerberos/Basic Authentication
              Marcos Vainer Loeff

              One idea I had is to develop a custom ASP.NET MVC web application that will redirect to either one of the PI Web API instances (one for Kerberos auth and the other for Basic auth) depending if Kerberos authentication is supported for the current client or Basic authentication must be used.


              This blog post can help you get started with this web service:


              ASP.NET MVC 5 with PI AF SDK: Part 2 - Security


              I haven't test it but I think it should work.