3 of 3 people found this helpful
Kerberos delegation is great when it works but the configuration has some complexity. Please allow me to refer just some OSIsoft resources on the subject:
- KB01222 - Types of Kerberos Delegation
- KB01223 - Kerberos and Internet Browsers
- Coresight Squared – What’s next? Kerberos and more..
Could be that PI Web API falls back to NTLM when you test PI Web API using a browser. This can be verified with the PI Web API Debug log as follows:
- Launch Windows Event Viewer (eventvwr.exe)
- Make sure Analytics and Debug logs option is enabled (View -> Show Analytic and Debug Logs)
- Expand Application and Service Logs
- Locate PIWebAPI and expand the node
- Right-click on Debug and chose Enable Log
- Execute a query against PI Web API
- Refresh the Debug Log in Windows Event Viewer and check for authentication related messages
Could be that the issue you are facing is due to CORS or CSRF. Please see KB01650 - CORS and CSRF in PI Web API
Your Java application, even it is running on the PI Web API host, is an additional hop. While a fallback from Kerberos to NTLM is possible when you use a browser, Kerberos delegation must be properly configured to allow delegating a Kerberos ticket across multiple hops. With IIS hosted applications, it is also necessary to enable Windows Authentication for the application pool. Lubos Mlcoch talks about this in his blog post linked above.
Finally, the Windows principal used by your Java application must have appropriate permission to the PI System. Please make sure the required mappings exist.
If all this doesn't help, please obfuscate and post PI Web API Debug log messages when 401 is returned.
Thanks for your reply.
Ultimately we needed to use the following API: WinHttpClients (Apache HttpClient Windows features 4.5.5 API)
By using the above we are now able to perform Kerberos Authentication with the PI Web API from our Java app.