10 Replies Latest reply on Jun 13, 2017 7:42 PM by cfoisy

    [-10431] Authentication method is disabled by current server policy

    ssmith

      Final Project

      For an additional step on my final project I would like to install Interface for Perfmon.  But I get the following error on Logging in to Server via Interface Point Creation Application.

       

        • Re: [-10431] Authentication method is disabled by current server policy
          chuck

          Hi Scott

           

          You may need to login with the domain account.  pischool\student01, password:  student

           

           

          Now that I think about this some more, I realize you probably need to create a PITrust for the PIPerfmon interface and another PITrust for the point configuration tool. Method for this is the same as the PITrust(s) you created for PI ICU, Buffering, and the OPC Data Access interface to PI.

          • Re: [-10431] Authentication method is disabled by current server policy
            chuck

            Some questions received via email:

             

            1.  When we did the initial trusts the videos gave us the name SnapE and OPCpE application names.  How do I find the application names for this interface?

            cet>  application names are published by the application and are contained in the network packets sent to the PI server.  PI-API applications (most interfaces) send four characters of their published name.  Unfortunately the published name isn't always the service name or the executable name.  For example SnapE is executable apisnap.exe.  The big E on the end of the application name is the media type, E stands for Ethernet.  PI-SDK applications will have the executable name as the application name.  for example PI-ICU.exe or PIBufSS.exe.  It can be tricky to know which name to use.  In newer versions of our interfaces, you can use PI-ICU to set the application name to a string of your choosing.  Recommend you stick to the format, e.g. four letters and a big E.

            cet>  To learn the connection requirements (application name, IP address, node name, etc) you can try connecting and then look in the PI Message Log on the interface node and the PI server node to find messages related to the application. 

            cet>   I am old school and usually try to get something working first, figure out why it works, then fix it the way it is supposed to be.  When it comes to trusts and application names I often create a so called open trust for a node, then run an application or interface on that node.  when things work, then I use PI Network Manager Statistics plug-in of PI-SMT to view the connection and see the application name, node name, IP address, and trust or windows credentials the application is using.  Then go to Security, PITrusts in PI-SMT and make a two factor trust for the specific needs of the application.  I then disable the open trust and retest, repeating till things work.

             

            2.  Even though I am installing this interface of the PISRV1 I need a Name based and a IP based Trust (First Assumption)

            cet>  what you describe is the so called two factor trust.  such a trust is our recommended best practice.  alternatively in some environs you may want to make an application name & host or node name trust.  Commonly interface nodes (on more secure networks) use IP and app name trusts, reporting or calculation or input applications on office network might use app name and host name trusts.

             

            3.  We created a PI Identify for the Interface and Buffering and mapped to a previously created domain account.  Would I create a new PI Identity and map to a domain or local account.  i.e  can I map to the local student01 account?

            cet>  yes, you can map to a local user account.  this may be problematic.  in some cases it may be a requirement for the same username and exact password exists on both nodes, e.g. interface node and PI server.  Mappings and Identities are really designed to be supported by an Active Directory.

             

            4.  Looking online it appeared this interface needed additional security.  Is this table correct?  I did try to map an identity to PIModules Table and I do get an error "At least one PI Identity on the PI Module has zero mapped Windows Principals"

            cet>  The interface probably doesn't need access to modules.  However, the PI-ICU tool does need read/write access to modules. 

             

            PI Securable object

            Access permissions

            PIModules table

            RW

            %OSI module

            RW

            %OSI\Interfaces module and all submodules

            RW

            PIPoint table

            RW

            Individual PI points (PtAccess or PtSecurity attribute)

            RW

            PIDS table

            RW

            cet>  I don't recognise this table.  Where did it come from?  Are you looking at this from PI-SMT or another tool?