2 Replies Latest reply on May 22, 2018 8:45 AM by JamesIggulden

    PI Web API Windows Service Authentication




      We have a customer running the PI Web API as a Windows Service and with authentication set to 'Kerberos'.

      It is possible to access the REST API using a browser (running on the same Windows Server) without being prompted for any credentials which indicates that native Windows Authentication is working (i.e. it is using the credentials of the logged-in user).

      However, we also have a Java application running as a Windows Service (incidentally on the same server) where the 'logon as' user is set to an account known to the PI Web API.

      The Java application is making HTTP requests to the same REST API but we consistently get 401's returned i.e. unauthorised. Our expectation was that, because the Java application is running as a Service and as a known user, the native Windows Authentication would simply work.

      Any thoughts or suggestions welcome!




        • Re: PI Web API Windows Service Authentication

          Hi James,


          Kerberos delegation is great when it works but the configuration has some complexity. Please allow me to refer just some OSIsoft resources on the subject:



          Could be that PI Web API falls back to NTLM when you test PI Web API using a browser. This can be verified with the PI Web API Debug log as follows:

          • Launch Windows Event Viewer (eventvwr.exe)
          • Make sure Analytics and Debug logs option is enabled (View -> Show Analytic and Debug Logs)
          • Expand Application and Service Logs
          • Locate PIWebAPI and expand the node
          • Right-click on Debug and chose Enable Log
          • Execute a query against PI Web API
          • Refresh the Debug Log in Windows Event Viewer and check for authentication related messages


          Could be that the issue you are facing is due to CORS or CSRF. Please see KB01650 - CORS and CSRF in PI Web API


          Your Java application, even it is running on the PI Web API host, is an additional hop. While a fallback from Kerberos to NTLM is possible when you use a browser, Kerberos delegation must be properly configured to allow delegating a Kerberos ticket across multiple hops. With IIS hosted applications, it is also necessary to enable Windows Authentication for the application pool. Lubos Mlcoch talks about this in his blog post linked above.

          Finally, the Windows principal used by your Java application must have appropriate permission to the PI System. Please make sure the required mappings exist.


          If all this doesn't help, please obfuscate and post PI Web API Debug log messages when 401 is returned.

          3 of 3 people found this helpful