1 of 1 people found this helpful
Since a lot of things can go wrong here let me give it a try.
In both cases you are accessing the AF Server(assetserver)(not PI Data Archive(=dataserver).
So the 'normal PIadmin user account' must be mapped(either directly or by a group) to an Identity in AF that has sufficient access to the AF database you are accessing.
Hello Floris, Yes the user account is mapped to the piadmin group in the AF.
Events Table and XY Plot are CTP features and like you said, will require "constrained" Kerberos delegation. Constained delegation is recommended over unconstrained one as it is more secure and supports authentication protocol switching.
More detailed information can be found from below:
By nature of Events table, it can be helpful in looking at PI Web API's documentation on Kerberos delegation:
Furthermore, the delegations are working fine with the data servers, am only facing this issue when am trying to access the asset servers
5 of 5 people found this helpful
It could be that AFServer SPNs are missing. To check if they exist, run:
setspn -l domain\af-service-account
The result should look something like this:
Here are the instructions on how to Register SPNs for the PI AF application service
And in AD, in PI Vision service account settings AFServer service will be listed in the list of trusted services (assuming you are not using the "trust to any service" option) like this:
And here is a general checklist I use a lot for such issues:
-SPNs are created for PIServer (PI Network manager's service account)
-SPNs are created for AFServer (AF Server's service account)
-SPNs are created for HTTP (PI Vision's service account)
-PI Web API, PI Web API Crawler and PI Vision app pools are using the same account
-Windows Authentication in IIS is enabled and Negotiate is listed first in the provider list
-PI Vision service account is trusted for delegation to PIServer and AFServer services in AD (Delegation tab)
-Client user accounts are NOT marked as "Account is sensitive and cannot be delegated" in AD (Account tab)
-Browsers have kerberos enabled
-Client users have a mapping (with read permission) on PI Data Archive server
-Client users have read permissions on AF Server
Lubos' blog post on Kerberos
Documentation on PI Vision Kerberos set up
1 of 1 people found this helpful
I like to add to this list something I found out the other day through the Windows Event viewer log of the PI Web API in the debug log.
Check with PSE on the machine where the PI WebAPI service is hosted in the connection manager what is set as Host. In some situations I had for Name and Host the same 'alias' value. The alias will not allow the kerberos delegation to work ofcourse as this is not set in the SPN registration and delegation settings.
May I ask? is this in official recommendation: PI Web API, PI Web API Crawler and PI Vision app pools are using the same account
At the moment I haven't found that in documentation. but I had only brief look around.
Currently we've some troubles in our project; seems that this recommendation could be very useful, but we need some proof based on manuals or something else.
Thank you !
2 of 2 people found this helpful
Here is the proof.
If the PI Web API and PI Web API Crawler were not installed using the custom PI Vision service account, open the PI Web API Utility and change the service account for API Service and Crawler Service.
- API Service: if you created a custom PI Vision service account, choose Custom from the drop-down menu and enter the account name (domain name\account name) and password. Click theTest button and then click OK.
- Crawler Service: if you created a custom PI Vision service account, choose Custom from the drop-down menu and enter the account name (domain name\account name) and password. Click the Test button and then click OK.
Reference: PI Vision
Eugene, thank you very much! Your help is very (very-very) appreciated !
One more question about this topic. How should be configured SPNs and delegation if we're using AF Server in Windows failover cluster? Assuming, for example, that we have two cluster nodes, AF1 and AF2 and cluster name AFC in domain example.com.
Assuming your AF Server's service account is a domain account or a group managed service account (GMSA), then the SPNs should be named this way.