11 Replies Latest reply on Feb 13, 2018 11:57 AM by MPCPRO

    Kerberos and Delegation (Only does 1 jump in PiVision)

    MPCPRO

      Hi guys.

       

      Wondering if anyone could help me with kerberos and delegation.

       

      I have the following system:

      External Microsoft SQL Server for PiVision and PI AF databases.

      2 Virtual Servers, one with PiVision and AF, and another with the Data Archive Server.

       

      Let's call the PiVision and AF server for VM01 and the server hosting DA for VM02.

       

      I first set up PiVision with Basic Authentication for login and the rest of the system with Trust. This seems to work out fine. However I recently tried to configure Kerberos so I can start using Active Directory groups, but it seem's I have configured something wrong, or left something out.

       

      The setup:

      I set up an AD Service account, changed these services on the VM01 server (PiVision and AF) to run under this new service account. PI AF Application Service, Pi analysis Service, Pi Buffer subsystem, Pi Notification Service,  Pi system directory publisher, Pi Web API and PI Web API Crawler). In IIS for PiVision on VM01, I went to Application Pools and changed the "PivisionAdminAppPool and PiVisionServiceAppPool  identity to "Custom Account" and used my AD Service Account".

       

      Under IIS I also went in to "Default Web Site", "PIVision" and "Admin", and disabled Basic Authentication and enabled only "Windows Authentication". Under PiVision I went into "Management" and "Configuration Editor" and navigated to system.webServer/security/authentication/windowsAuthentication. and changed "useAppPoolCredentials" to True.

       

      I then went into the AD Server and set up these SPNs:

       

      SETSPN -S PISERVER/VM02 Domain\ServiceAccount

      SETSPN -S AFServer/VM01 Domain\ServiceAccount

      SETSPN -S HTTP/VM01 Domain\ServiceAccount

       

      Under Active Directory, I went to my Computer Objects for VM01 and enabled Delegation for specified services (Kerberos only). Then I found VM02 in the search section and chose "PIServer" from that list and pressed OK.

       

      I waited 10 minutes  and restarted the PI and AF/PiVision server one after the other.

       

      When everything was back online I tried to navigate to PiVision to see if everything still worked, but I was unable to authenticate myself automatically. When I checked the message logs, it said that I tried to log in with an anonymous account. I tried the Klist purge command but that did not seem to help.

       

      Next thing in an act of desperation I tried enabling kerberos delegation to the service account in AD. When prompted for which object I wanted to get the services from I chose the service account user again, and added PIServer, AFServer and HTTP.

      I also did the same thing for the VM01 and VM02 computer objects in AD Delegation and added the 3 services from the service account (PIService, AFServer and HTTP).

       

      Now kerberos seems to be working for one jump. When a user in an Active Directory group linked to a PI Identity tried to go into PiVision he get's automatically logged on but he is unable to find the DA Server og AF Server. So I think my fault is that the kerberos only does 1 jump and not the second jump.

       

      I am hopelessly new to delegation and SPN, but I tried to follow the PI Vision Delegation guide but it seems to not work for me. Especially Step 7. When I tried to go into my Service Account and Delegate Access from the DA or AF Computer Object (VM01 and VM02) I am unable to find "PIServer and AFServer" in those Service Lists. I can only seem to find them if I choose the Service Account as the object.

       

      Any experts with kerberos and SPN here that can help me out?

        • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
          vkaufmann

          Hi Matthew,

           

          I'd like to comment on some things that jumped out at me.

           

          1. There is no need to create a new PIServer SPN on VM01 unless you have changed the account the PI Network Manager is running under (not recommended). The PIServer should have created its own SPN.

           

          2. If you are using custom service accounts, this step is incorrect:

          Under Active Directory, I went to my Computer Objects for VM01 and enabled Delegation for specified services (Kerberos only). Then I found VM02 in the search section and chose "PIServer" from that list and pressed OK.

          You want to configure delegation for the service account as that is what will be doing that actual delegation. Doing it for the machine account will allow machine accounts associated with that computer to delegate and no others.

           

          3. This step is the correct step (sort of)

          Next thing in an act of desperation I tried enabling kerberos delegation to the service account in AD. When prompted for which object I wanted to get the services from I chose the service account user again, and added PIServer, AFServer and HTTP.

          I also did the same thing for the VM01 and VM02 computer objects in AD Delegation and added the 3 services from the service account (PIService, AFServer and HTTP).

          For this step you have to enable delegation to the PI Server and AF Server. You can find these by searching for the machine that the Data Archive is installed on (since we should be using the default SPN) and by searching for the custom account to find the AFServer SPN that you created.

           

          4. If you are able to access Vision but don't see the actual AF and Data Archive objects you might simply never have crawled them. The Index Search Crawler is the thing that controls what can be searched in Vision, so if you haven't created these search sources you will find nothing in Vision even if you have the correct delegation configured. You may want to take a look at this KB for more information on how to troubleshoot the Search Crawler. Be aware that in order to crawl, the Search Crawler service needs to have read permission to whatever data source you want to see in PI Vision.

           

          Let me know if anything is unclear or if you have any questions regarding what I said above.

           

          --Vince

          2 of 2 people found this helpful
            • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
              MPCPRO

              Hi Vincent.

               

              Thanks for the reply. I'll give it a shot tomorrow afternoon when I am back and reply back how it went.

               

              I'll also delete those incorrect steps I did for VM01 and check out the crawler.

                • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                  gmichaud-verreault

                  I would suggest going carefully through all the steps in the documentation. The latest documentation is very clear if you follow it step-by-step.

                   

                  Enable Kerberos delegation using a custom PI Vision service account

                    • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                      MPCPRO

                      Hi.

                       

                      I just tried this, but I still cannot get it to work.

                       

                      Followed the guide step by step, but when I search for VM01 (AF/PiVision Server), I am unable to find the AF Service under it. I can only find the AF Service running under the service account.

                       

                      When I add it via the service account I still get Anonoymoys Logon, and I am unable to get live data from Sinusoid test tag.

                       

                      So the Service Account (This service account is used for all Pi Things). Has these delegations:

                       

                      PIServer Service via VM02

                      AFServer Service via Service Account (Unable to find this via VM01 like the guide suggests)

                      HTTP service via Service Account

                       

                      I also tried allowing kerberos delegation to any service on the service account, and on VM01 and VM02 just to see if that many any difference, it did not.

                       

                      Maybe I did something wrong with the SETSPN Commands?

                       

                      I used

                      SETSPN -S AFServer\VM01 Domain\ServiceAccount

                      SETSPN -S AFServer\VM01.Domain.No Domain\ServiceAccount

                       

                      SETSPN -S HTTP\VM01 Domain\ServiceAccount

                      SETSPN -S HTTP\VM01.Domain.No Domain\ServiceAccount

                       

                      SETSPN -S PIServer\VM02 Domain\ServiceAccount

                      SETSPN -S PIServer\VM02.Domain.No Domain\ServiceAccount

                • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                  gmichaud-verreault

                  When you perform this step:

                       SETSPN -S AFServer\VM01 Domain\ServiceAccount

                       SETSPN -S AFServer\VM01.Domain.No Domain\ServiceAccount

                  You need to make sure that you are using the service account running the PI AF Application Service. Then, you will search for that account in the delegation tab. If you are using the same service account for PI AF, then yes, you will want to search for the service account and not the machine account (VM01).

                   

                  You should not have

                       SETSPN -S PIServer\VM02 Domain\ServiceAccount

                       SETSPN -S PIServer\VM02.Domain.No Domain\ServiceAccount

                  as the PI Data Archive will be running under LocalSystem. I would also make sure that you do not have duplicates SPN's.

                   

                  You might want to contact Tech Support if you want to have someone guide you through those steps.

                   

                  Gabriel

                  3 of 3 people found this helpful
                    • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                      MPCPRO

                      Thanks Gabriel. Will have to try this tomorrow.

                       

                      Just to be sure, do I need to create a new SETSPN for VM02? Or will the VM02 machine make a new SPN for itself automatically without me needing to: SETSPN -S PIServer\VM02 VM02$   ?

                       

                      And the only delegations under my serviceaccount in AD should be:

                       

                      AFServer via Service_Account

                      http via Service_Account

                      PIServer via ComputerObject/MachineAccount$

                       

                      ?


                      Thanks so far. I'll keep Tech Support in mind, but would like to see if I can learn from my mistakes myself

                      • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                        vkaufmann

                        In addition to these suggestions, can you please share the output of the following commands?

                         

                        setspn -l domain\serviceAccount

                        setspn -l VM01

                        setspn -l VM02

                         

                        Can you also give us a screenshot of the delegation tab for the service account you are using? Can you confirm that you are using the same service account for vision and the AF Application service?

                         

                        --Vince

                        2 of 2 people found this helpful
                          • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                            MPCPRO

                            Hi Vincent. I am able to do this today.

                             

                            We tried the following SPN commands:

                             

                            SETSPN -d PIServer\VM02 Domain\ServiceAccount

                            SETSPN -d PIServer\VM02.Domain.No Domain\ServiceAccount

                            SETSPN -s PIServer\VM02 VM02$

                            SETSPN -s PIServer\VM02.Domain.No VM02$

                             

                             

                            We are getting the following error:

                             

                            Invalid SPN PIServer\VM02.Domain.no .

                             

                            Edit: I think it might have been because we switched / with \, will try again

                             

                            I'll try to get those screenshots as well now while I am at it (going via a third person, so taking some time).

                             

                            Edit:

                             

                            NVM, got the correct ones in now. O

                            • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                              MPCPRO

                              Here's the output:

                               

                              (Modified to hide the realnames):

                               

                               

                               

                              C:\Windows\system32>SETSPN -l Service_Account

                              Registered ServicePrincipalNames for CN=Service_Account,CN=Users,DC=domain,DC=no:

                                      HTTP/VM01.domain.no

                                      HTTP/VM01

                                      AFServer/VM01.domain.no

                                      AFServer/VM01

                               

                              C:\Windows\system32>SETSPN -l VM02$

                              Registered ServicePrincipalNames for CN=VM02,CN=Computers,DC=domain,DC=no:

                                      PIServer/VM02.domain.no

                                      PIServer/VM02

                                      WSMAN/VM02.domain.no

                                      WSMAN/VM02

                                      TERMSRV/VM02.domain.no

                                      TERMSRV/VM02

                                      RestrictedKrbHost/VM02

                                      HOST/VM02

                              RestrictedKrbHost/VM02.domain.no

                                      HOST/VM02.domain.no

                               

                               

                               

                              In the screenshot from delegation we added: AFServer and HTTP from Service_Account Object, but it still shows up at VM01  which is funny.

                              editedosisoft.png

                          • Re: Kerberos and Delegation (Only does 1 jump in PiVision)
                            MPCPRO

                            Yes. The PIVision and AF Application Service both use the same service_account.I will try these commands and also try to get a copy of the outputs. Thanks

                             

                            Edit: Seems like I will not be able to get access to the system until Monday, so I'll post back then