10 Replies Latest reply on Jun 16, 2017 10:54 AM by bala

    PI WEB API 2017 HTTP POST request

    bala

      Hi ,

      We have upgraded to the latest version of PI-Web-API-2017_1.9.0.266. When doing HTTP POST, we got "403 site access denied error" for the below request using postman

      https://<webapi_2017_version>/piwebapi/streams/P04SzzIrG8CkGGeNYfKCHNwgWhgAAAQ0hUU1cwMDAyOVwxLiAyNDUgS1YgU0Y2IENJUkNVSVQgQlJBS0VSLkFNQklFTlQgVEVNUEVSQVRVUkU/value

       

      But when using PI-Web-API-2016-R2_1.8.0.201 , we could POST the request for the same configuration (BASIC Authentication).

       

      https://<webapi_2016_r2>/piwebapi/streams/P04SzzIrG8CkGGeNYfKCHNwgzhcAAAQ0hUU1cwMDAyOVwxMi41TVZBLVRSQU4tMDEuT0lMIFRFTVBFUkFUVVJF/value

       

      Does any one faced this issue? Appreciate your help.

       

      Thanks,

      Bala

       

        • Re: PI WEB API 2017 HTTP POST request
          pmartin

          Hi Bala,

           

          Check your AF Configuration database.  It stores information and settings about the PI Web API.

          Under OSIsoft/PI Web API/<your server name>/System Configuration, you should find an attribute named "AuthenticationMethods".  Click on it and verify that the String array contains "Basic" as the only entry.

            • Re: PI WEB API 2017 HTTP POST request
              bala

              Hi Paul,

               

              I have changed the authentication method to only Basic in AF server - But no luck. Still getting the same error.

               

              I have tried in SOAP UI 5.2.0. Changed the authentication to SPNEGO/ Kerberos in the UI after changing the authentication method to Kerberos in AF. Still I am getting the same error.

               

              In the 2016 r2 version of PI web api, we are using both authentication methods - Kerberos for crawling and Basic for application development.

                • Re: PI WEB API 2017 HTTP POST request
                  Kenji Hashimoto

                  PI Web API Admin Utility tool to check that there are no errors for Certificate etc...

                  Does repair the PI Web API 2017 fix the issue? It worked for me when I upgraded the PI Web API.

                  • Re: PI WEB API 2017 HTTP POST request
                    gregor

                    Hello Bala,

                     

                    Can you please check what account you are connected with?

                     

                    The URI for this should be https://<webapi_2017_version>/system/userinfo

                      • Re: PI WEB API 2017 HTTP POST request
                        bala

                        Hi Gregor,

                         

                        Got the below response for both Kerberos and Basic Authentication methods:

                         

                        {
                          "IdentityType": "WindowsIdentity",
                          "Name": "Domain\\username",
                          "IsAuthenticated": true,
                          "SID": "S-1-5-21-1594105604-433220334-1481692675-39430",
                          "ImpersonationLevel": "Impersonation"
                        }

                         

                        The user username is the member of piadmins group and piwebapi admins local window group. All the systems are in domain.

                          • Re: PI WEB API 2017 HTTP POST request
                            gregor

                            Hello Bala,

                             

                            The response you shared indicates Kerberos was used (keyword "Impersonation").

                            Within the same browser session, are you able to perform a GET request but the POST to a Data Item fails? If you are using Postman for the POST, please make sure you look for the user account using the same Chrome session.
                            Well this still leaves a few possible reasons why a POST may fail e.g.

                             

                            • Is Chrome complaining about a certificate issue? If so, please make sure you import the certificate to the local Trusted Root Certificate store.
                            • If you are operating across domain, please verify the supported CORS methods. Is POST included? Please also look at the other CORS related settings and compare them against the PI Web API 2016 R2 instance.
                            • If the Attribute you are attempting to update with values is having a PI Point Data Reference, your issue could be due to a PI Buffer Subsystem having an active lock on the PI Point.

                             

                            It may be very useful to look at the logs, starting with the Event Logs of PI Web API, over the AF Server logs, Security event logs on all involved machines and finally the PI Message Logs on the PI Web API host and the PI Data Archive host.

                    • Re: PI WEB API 2017 HTTP POST request
                      bala

                      Thanks Gregor.

                       

                      Form the  log,

                       

                      [PIWebAPI]: CSRF attack from 'IP_Address' under the user identity 'Domain\User' was detected.

                       

                      Finally I have found the answer.

                      By defaut, CSRFDefense been enabled by PI web API 2017. I have disabled it to make the POST request work.

                       

                      Additional info about CSRF:

                      https://techsupport.osisoft.com/Troubleshooting/Alerts/AL00316?_ga=2.243982981.124157096.1497241891-2018677622.1486723046

                       

                      The question is what is the reason for the below error.

                      [PIWebAPI]: CSRF attack from 'IP_Address' under the user identity 'Domain\User' was detected.

                       

                      Thanks,

                      Bala

                        • Re: PI WEB API 2017 HTTP POST request
                          gregor

                          Hello Balu,

                           

                          Thank you for your update and I must admit that I didn't have CSRF Defense on my list of possible reasons and that I again learned something today

                           

                          So you found this error in the Windows Event Logs of PI Web API: [PIWebAPI]: CSRF attack from 'IP_Address' under the user identity 'Domain\User' was detected.

                          This error is an explanation of why your POST attempt fails. As described in AL00316 with new installations, EnableCSRFDefense is enabled by default. We recommend against disabling Cross-Site Request Forgery Defense but instead using the X-Requested-With HTTP header with POST's.

                          4 of 4 people found this helpful