2 Replies Latest reply on Aug 9, 2016 9:59 PM by SvenBatalla

    gMSA Impersonation to PI-AF


      We are currently working on an internet-facing web application that connects to PI-AF to retrieve content and data.  The difference between this application and others that we have done in the past is that when an end-user uses our application, it is that user's credentials that need to be passed to PI-AF for authentication purposes.  This is not a direct connection, but one that goes through multiple hops.  Our question is regarding Group Managed Service Accounts (gMSA) and impersonation.


      For a bit of clarity, our application has a WebAPI that uses the PI-AFSDK.  The user logs into the application with valid Active Directory (AD) credentials that get passed through the Web API and then the PI-AFSDK.


      We are impersonating the WindowsIdentity with the user principle name (UPN).  This all works fine when using an AD user for the Microsoft IIS app pool with service principle name (SPN) and delegations setup.  However, we want to use the gMSA for the app pool instead.  Unfortunately, when we configure it this way, we get the following issue:


      [CommunicationException: Cannot connect to server 'PiServer'. Please examine connectivity to the remote PI AF Server as well as ensuring the impersonated client user can be delegated to the server.]

         OSIsoft.AF.Support.AFProxy.Reconnect(AFCollectiveMember member, Boolean autoPrompt, Boolean raiseEvents, AFConnectionPreference preference) +645

         OSIsoft.AF.Support.AFProxy.Connect(AFCollectiveMember member, Boolean userSpecified, Boolean updatePreference, Int32 numRetries, IWin32Window owner, AFConnectionPreference preference) +1592

         OSIsoft.AF.PISystem.Connect(Boolean autoPrompt, IWin32Window owner, AFConnectionPreference preference) +183

         OSIsoft.AF.PISystem.Connect() +100

         ApplicationNameSpace.PiConnection() +1625


      After the WindowsIdentity is impersonated, the "ImpersonationLevel" is “Impersonation”, but when calling "Connect" to PI, the above error happens.  We are wondering if the impersonation with a gMSA is (a) supported, (b) has been done, and (c) how exactly it was achieved.  If so, is there a developer reference for how to make this all work?

        • Re: gMSA Impersonation to PI-AF

          Have you enabled the gMSA account for delegation (and created the necessary SPNs for it)?


          I've just run a quick test and configured Coresight IIS AppPools to run under my Test gMSA account (TgMSA), for which I've added HTTP SPNs and allowed it to delegate to PI Server, and it works fine (in other words, it seems to work just as a standard domain account or managed service account would).


          Highlighted are the attributes I've changed (right click the gMSA account > Properties > Attribute Editor):




          Our security gurus Harry Paul or Bryan Owen might have additional details.

            • Re: gMSA Impersonation to PI-AF



              Thank you so much for the reply.  I will find out what we've done so far.  From what I understand, we guessed it would be a configuration of some kind that we were (to date) unable to located.  So I'll find out if we've done what you're saying to do and respond accordingly.  Likely you're right.  I should know tomorrow.