5 Replies Latest reply on Aug 3, 2016 1:09 PM by anthonylewis

    PI Web API and Kerberos Authentication via PHP

    anthonylewis

      Hi,

       

      I am currently trying to connect to the PI Web API via PHP and when I try to retrieve JSON data, I get a HTTP 401 (unauthorized) header in response. When I use postman to send queries or to get interpolated values it works fine as I think it is using my windows credentials. Does anyone have any examples or ideas as to how I could provide Kerberos authentication within the PHP script so it will authenticate properly. Currently the server is configured to only take Kerberos authentication.

       

      Thank you

        • Re: PI Web API and Kerberos Authentication via PHP
          gregor

          Hello Anthony,

           

          Because your question appeared quite common rather specific to PI web API, I used one of the famous Internet Search engines and found there's an Authentication Services chapter in the PHP Manual.

            • Re: PI Web API and Kerberos Authentication via PHP
              anthonylewis

              Hi Gregor,

               

              Perhaps I should have been more specific. I was already aware that the Kerberos Library for PHP existed, I am just unsure as to how to go about using it with PI Web API. So what I should have asked for to begin with would be a basic example using Kerberos with the PI Web API. If anyone could provide such an example that would be greatly appreciated.

                • Re: PI Web API and Kerberos Authentication via PHP
                  pthivierge

                  Hello Anthony,

                   

                  Here is a sample of a function I use in javacript with angularjs to set the headers of my http requests.  You can see both methods basic and kerberos.

                   

                   

                   service.SetAPIAuthentication = function(authType, userName, password) {
                      authenticationType = authType;
                  
                      switch (authType) {
                        case "Basic":
                          
                          var authInfo = userName + ":" + password;
                          var base64string = btoa(authInfo); // encode to base 64 IE10+
                          initAuthHeaders('Basic ' + base64string);
                          console.log("Authentication set to Basic")
                          break;
                        
                        case "Kerberos":
                           if("Authorization" in $http.defaults.headers.common)
                            delete $http.defaults.headers.common.Authorization;
                            $http.defaults.withCredentials = true;
                            //initAuthHeaders('Negociate');
                            console.log("Authentication set to Kerberos");
                          break;
                      }
                    };
                  

                   

                    service.initAuthHeaders=function (authDetails) {
                      $http.defaults.headers.common.Authorization = authDetails;
                      $http.defaults.withCredentials = true;
                      $http.defaults.timeout=3000;
                    }
                  

                   

                  So as you can see, for Kerberos there is not much to do.

                  If you make a call to https://server/piwebapi/system/userinfo this will give you the information about the identity seen by the PI Web API server.

                   

                  ex:

                  {

                    "IdentityType": "WindowsIdentity",

                    "Name": "Decepticons\\Administrator",

                    "IsAuthenticated": true,

                    "SID": "S-1-5-21-388143713-398Y725904-1701438548-500",

                    "ImpersonationLevel": 3

                  }

                   

                  Hope this helps.

                  2 of 2 people found this helpful
              • Re: PI Web API and Kerberos Authentication via PHP
                Marcos Vainer Loeff

                Hi Anthony,

                 

                I was able to make it work! Here is the code snippet:

                 

                $ch = curl_init ( $url );
                
                curl_setopt ( $ch, CURLOPT_RETURNTRANSFER, true );
                
                curl_setopt ( $ch, CURLOPT_SSL_VERIFYPEER, false );
                
                        curl_setopt($ch, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);
                        curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
                        curl_setopt($ch, CURLOPT_USERPWD, ":");
                
                $result = curl_exec ( $ch );
                
                $json_o = json_decode ( $result );
                
                
                
                
                
                
                
                

                I am using PHP 5.6. Make sure Kerberos is working fine with C# and JavaScript before trying with PHP. Otherwise, it won't work.

                 

                Please let me know if it works for you!

                2 of 2 people found this helpful