Thank you for writing in PI Square !
First of all I wanted to ask if you are succesfully connecting to the PI Web API through Kerberos using your browser, Fidler or Postman?
You can find the step by step information to check if you Kerberos is correctly configured in this guide:
- PI Vision 2017 R2 Installation and Administration Guide - (English) in page 40 (Phase 5: Setting up Kerberos delegation)
Which version of PI Web API are you currenty using? There are some connection features that were changed on version PI Web API 2017 R2. KB01229 - Issues using PI Web API with multiple allowed authentication methods
There is an example using C# which includes a example test using Kerberos: Working with PI Web API - HttpClient in C#
Please let me know if this helps or if you need to have deeper troubleshooting,
Thank you very much for the hint! this helps a lot to me.
will just check on this and let you know if I have more queries.
By the way, I am using a PI Web API 2017 version and just installed on my VM server. I am not connected to a domain, just a local server.
3 of 3 people found this helpful
When you mention that you are not connected to a domain, I understand that you are saying that you do not have a domain controller hosting your domain.
Without having a domain controller you are not going to be able to use Kerberos delegation and you will not be able to achieve what you are looking for.
- Which OS are you using for your PI Web API?
- Could you test to access in the VM where you have installed the machine and use http://localhost/piwebapi ?
- Do you see any errors in the Event Viewer from Windows?
The error that you are seeing my be shown by several reasons:
- Did you made any configuration changes in your Configuration database from AF in order to allow Kerberos? There are different authentication methods that you can use to access to the system:
- There are three authenticate options Anonymous, Basic and Kerberos. Kerberos authentication is the most secure option, however it is more complicate to configure and you cannot use it without a domain account.
- Could you check that the Authentication Method attribute in the Configuration database is set to Configuration Item?
You might be running into different issues that could be triggering the error:
- KB01229 - Issues using PI Web API with multiple allowed authentication methods
- "Authorization has been denied for this request." when adding database for PI Web API
- Authorization (Kerberos) has been denied for this request - PI Web API using Python
There are many facts that could be taken into account that could through the error.
I think my issue was when I tried to make multiple Authentication methods in AF Configuration database, I started getting this error message. Now I turned it back to one Authentication and it works again.
for the Kerberos, it is now clear to me that it will not work if I don't have a domain controller. cheers for that!
Now, just another question. in case that if I deploy my project to a server with a domain controller. do you find this code correct?
request.UseDefaultCredentials = true;
request.Method = "GET";
WebResponse response = request.GetResponse();
does it mean that if I use the default credentials and set it to true, does it referring Kerberos authentication?
Thank you for your support.