AnsweredAssumed Answered

Kerberos and Delegation (Only does 1 jump in PiVision)

Question asked by MPCPRO on Feb 7, 2018
Latest reply on Feb 13, 2018 by MPCPRO

Hi guys.


Wondering if anyone could help me with kerberos and delegation.


I have the following system:

External Microsoft SQL Server for PiVision and PI AF databases.

2 Virtual Servers, one with PiVision and AF, and another with the Data Archive Server.


Let's call the PiVision and AF server for VM01 and the server hosting DA for VM02.


I first set up PiVision with Basic Authentication for login and the rest of the system with Trust. This seems to work out fine. However I recently tried to configure Kerberos so I can start using Active Directory groups, but it seem's I have configured something wrong, or left something out.


The setup:

I set up an AD Service account, changed these services on the VM01 server (PiVision and AF) to run under this new service account. PI AF Application Service, Pi analysis Service, Pi Buffer subsystem, Pi Notification Service,  Pi system directory publisher, Pi Web API and PI Web API Crawler). In IIS for PiVision on VM01, I went to Application Pools and changed the "PivisionAdminAppPool and PiVisionServiceAppPool  identity to "Custom Account" and used my AD Service Account".


Under IIS I also went in to "Default Web Site", "PIVision" and "Admin", and disabled Basic Authentication and enabled only "Windows Authentication". Under PiVision I went into "Management" and "Configuration Editor" and navigated to system.webServer/security/authentication/windowsAuthentication. and changed "useAppPoolCredentials" to True.


I then went into the AD Server and set up these SPNs:


SETSPN -S PISERVER/VM02 Domain\ServiceAccount

SETSPN -S AFServer/VM01 Domain\ServiceAccount

SETSPN -S HTTP/VM01 Domain\ServiceAccount


Under Active Directory, I went to my Computer Objects for VM01 and enabled Delegation for specified services (Kerberos only). Then I found VM02 in the search section and chose "PIServer" from that list and pressed OK.


I waited 10 minutes  and restarted the PI and AF/PiVision server one after the other.


When everything was back online I tried to navigate to PiVision to see if everything still worked, but I was unable to authenticate myself automatically. When I checked the message logs, it said that I tried to log in with an anonymous account. I tried the Klist purge command but that did not seem to help.


Next thing in an act of desperation I tried enabling kerberos delegation to the service account in AD. When prompted for which object I wanted to get the services from I chose the service account user again, and added PIServer, AFServer and HTTP.

I also did the same thing for the VM01 and VM02 computer objects in AD Delegation and added the 3 services from the service account (PIService, AFServer and HTTP).


Now kerberos seems to be working for one jump. When a user in an Active Directory group linked to a PI Identity tried to go into PiVision he get's automatically logged on but he is unable to find the DA Server og AF Server. So I think my fault is that the kerberos only does 1 jump and not the second jump.


I am hopelessly new to delegation and SPN, but I tried to follow the PI Vision Delegation guide but it seems to not work for me. Especially Step 7. When I tried to go into my Service Account and Delegate Access from the DA or AF Computer Object (VM01 and VM02) I am unable to find "PIServer and AFServer" in those Service Lists. I can only seem to find them if I choose the Service Account as the object.


Any experts with kerberos and SPN here that can help me out?