We are currently working on an internet-facing web application that connects to PI-AF to retrieve content and data. The difference between this application and others that we have done in the past is that when an end-user uses our application, it is that user's credentials that need to be passed to PI-AF for authentication purposes. This is not a direct connection, but one that goes through multiple hops. Our question is regarding Group Managed Service Accounts (gMSA) and impersonation.
For a bit of clarity, our application has a WebAPI that uses the PI-AFSDK. The user logs into the application with valid Active Directory (AD) credentials that get passed through the Web API and then the PI-AFSDK.
We are impersonating the WindowsIdentity with the user principle name (UPN). This all works fine when using an AD user for the Microsoft IIS app pool with service principle name (SPN) and delegations setup. However, we want to use the gMSA for the app pool instead. Unfortunately, when we configure it this way, we get the following issue:
[CommunicationException: Cannot connect to server 'PiServer'. Please examine connectivity to the remote PI AF Server as well as ensuring the impersonated client user can be delegated to the server.]
OSIsoft.AF.Support.AFProxy.Reconnect(AFCollectiveMember member, Boolean autoPrompt, Boolean raiseEvents, AFConnectionPreference preference) +645
OSIsoft.AF.Support.AFProxy.Connect(AFCollectiveMember member, Boolean userSpecified, Boolean updatePreference, Int32 numRetries, IWin32Window owner, AFConnectionPreference preference) +1592
OSIsoft.AF.PISystem.Connect(Boolean autoPrompt, IWin32Window owner, AFConnectionPreference preference) +183
After the WindowsIdentity is impersonated, the "ImpersonationLevel" is “Impersonation”, but when calling "Connect" to PI, the above error happens. We are wondering if the impersonation with a gMSA is (a) supported, (b) has been done, and (c) how exactly it was achieved. If so, is there a developer reference for how to make this all work?