4 Replies Latest reply on Jul 6, 2017 7:07 AM by mvisconte

    Issues with AF SDK in an MVC Application

    mvisconte

      Hello,

      In an .NET MVC Application, using Windows Authentication and Impersonation, I am facing an issue with connection to the distant servers.

      The code used is as follows (its VB.NET, but I think it is straightforward enough and that C# experts won't mind )

       

      Shared Sub FillTagsPI(beginTime As DateTime, endTime As DateTime, TagList As List(Of String))

                  Dim oPIServers As New PIServers()

                  Dim oAFTimeRange As New AFTimeRange With {.StartTime = New AFTime(beginTime), .EndTime = New AFTime(endTime)}

                  Dim oPIServer As PIServer = oPIServers("myserverhostname")

                  Dim oPointList As PIPointList = New PIPointList(PIPoint.FindPIPoints(oPIServer, TagList))

                     ... ...

       

      While this works perfectly fine locally, as soon as I push it to the server, I get an Exception:

      Cannot connect to the PI Server. Windows authentication trial failed because insufficient privilege to access the PI Server. Trust authentication trial failed because insufficient privilege to access the PI Server.

      With the stack trace

      at OSIsoft.AF.PI.PIException.ConvertAndThrowException(PIServer piServer, Exception ex, String message)

      at OSIsoft.AF.PI.PIServer.RemoteConnect(AFConnectionPreference preference, NetworkCredential credential, PIAuthenticationMode authenticationMode)

      at OSIsoft.AF.PI.PIServer.InternalConnect(Int32 numRetries, IWin32Window owner, AFConnectionPreference preference, NetworkCredential credential, PIAuthenticationMode authenticationMode)

      at OSIsoft.AF.PI.PIServer.AutoConnect(Boolean allowDirectConnect, Boolean force)

      at OSIsoft.AF.PI.PIPoint.FindPIPoints(PIServer piServer, IEnumerable`1 names, IEnumerable`1 attributeNames)\

      at FillTagsPI(DateTime beginTime, DateTime endTime, List`1 TagList)

       

      I have checked impersonation, using the Environment.CurrentUser variable just before the call to FindPIPoints, and it is working properly.

      Since it works on my development machine, and that I am able to get values using the standard Osisoft tools, such as Process Book, I'd say that the access rights are set properly.

       

      I am out of ideas on what could cause these connection errors, and very eager to get any pointers on possible causes.

      Please note that due to company policy, remote access to the Web Server is not obvious, but can be arranged if needed.

       

      Thanks a lot.

        • Re: Issues with AF SDK in an MVC Application
          Eugene Lee

          Hi Maxime,

           

          Can you have a look at the PI Message logs on the PI Data Archive machine during the time of connection to see what the MVC application is trying to come in as? From there, you should be able to see the windows user that is trying to authenticate or the IP address that is trying to get a trust.

           

          Is your PI Data Archive on a different machine from your web servers or is it on the same machine as the development web server?

          1 of 1 people found this helpful
            • Re: Issues with AF SDK in an MVC Application
              mvisconte

              Hello, and thanks a lot for your help,

               

              I'll try and coordinate with IT go check out the message log. (Is there any way I can access a remote PI Message log, using the AF SDK?)

              There is 3 different machines.

              - The PI Data Archive

              - The development machine (from which I can access the PI Data Archive)

              - The web server (on which the error is triggered)

               

              --

               

              Edit: After checking the message log, it appears to be a 'double-hop' issue, and, as such, outside of OSIsoft scope.

              Thanks a lot for your help,

              1 of 1 people found this helpful
            • Re: Issues with AF SDK in an MVC Application
              gachen

              Lubos Mlcoch has a great blog post on configuring Kerberos here, in case you would like a reference on the necessary configuration/things to check.

               

              The post uses PI Coresight/Vision as an example, but the same principles should apply for your MVC app.