PI-SDK ASP.NET Impersonation and Windows Authentication

Discussion created by rohanar on Feb 7, 2012
Latest reply on Feb 8, 2012 by rohanar

We’re having difficulties using the PI-SDK on an ASP.NET 4.0 website and the ServerManager object.   I've been through all relevant threads on the forum related to this issue, without success. Any help would be greatly appreciated.  The intention is to pass the Windows Authentication identity of the user through to the PI-SDK so that access to tags is controlled completely by PI. Has anyone had any luck getting this to work? Our settings are as follows:   


1.       PI 2010 Server and IIS are hosted on separate machines within the same domain.

2.       Impersonation  = True in web.config

3.       Authentication Mode = Windows in web.config

4.       All other forms of Authentication are disabled on the Virtual Directory in IIS

5.       Running on IIS in Windows 7 and Windows 2008.

6.       ASPCompat = True in all ASPX pages calling PI




When  IIS and PI are hosted on the same machine, Impersonation succeeds and correct credentials are passed based on PI logs.  On separate machines, incorrect credentials are passed and Impersonation fails. However, the in an environment with two PI Servers, this scenario is not sufficient.  The only way we’ve found around this is to modify the Domain Controller such that the machine hosting IIS is given Delegation privileges –“Trust this computer for delegation to any service (Kerberos only)" found in AD Users and Computers, select IIS host computer, and modify Properties.    See screenshot below.  Is there any way around modifying the Domain as it's unrealistic in a large-scale production environment.




Here’s a consolidated code snippet:


         Dim myPIServerManager As New PISDK.ServerManager


        Dim myServer As PISDK.Server = myPIServerManager.Item(txtServer.Text)


        Dim myPoints As PISDK.PIPoints = myServer.PIPoints


        Dim myValue As PISDK.PIValue = myPoints(txtPITag.Text).Data.Snapshot


        Dim myResult As Object = myValue.Value




        If myValue.Value.GetType.IsCOMObject Then


            lblResult.Text = CType(myValue.Value, PISDK.DigitalState).Name




            lblResult.Text = myResult.ToString


        End If




        Dim myPIConnection As PISDK.IServerConnect = DirectCast(myServer, PISDK.IServerConnect)


        lblConnectAs.Text = String.Format("Current User = {0}, Authentication Protocol = {1}, Display User = {2}", _


                                          myServer.CurrentUser, _


                                          myPIConnection.CurrentAuthenticationProtocol, _