9 Replies Latest reply on Jun 14, 2018 6:13 AM by Roger Palmen

    PI Integrator for Business Analytics: Authentication accross non trusted domains

    mkreideweis

      Hello,

       

       

      we'd like to test the PI Integrator for Business Analytics 2016 for making current PI data accessible for Spotfire. We have a license for Business Intelligence Edition available, which is able to provide PI Views but is not able to transfer PI data directly into a SQL-database. Unfortunately the Spotfire Server resides in Domain A and the PI Data Archive Server + PI AF Server reside in Domain B and these are non-trusted Domains. According to the user-guide the PI Integrator Service has to be installed and has to run under a domain-account. Therefore it makes sense to put the PI Integrator also in Domain B so that it can authenticate on the SQL Server, in AF and PI using this Domain account.

       

       

      I'd install the ODBC Driver then on the Spotfire Server in Domain A, but I don't know how the authentication from Spotfire to PI could work. The Spotfire users authenticate in Spotfire using their Domain-account of Domain A. Do you have any ideas how it could be configured so that the authentication works across the non-trusted Domains? Is it possible to configure Kerberos authentication across non-trusted Domains? Or should we better use the dataware house Edition of the PI Integrator and copy the PI data cyclically to a SQL database in Domain A?

       

       

      Thank you and kind regards

       

      Michael

        • Re: PI Integrator for Business Analytics: Authentication accross non trusted domains
          lposner

          Hi Michael,

           

          Are the Integrator (with PI SQL DAS) and the AF Server on different machines? If so then a double-hop would necessitate Kerberos like you mentioned (see PI SQL Data Access Server (PI Integrators) 2016 R2 Administrator Guide page 11). The PI SQL DAS service account would need to be able to delegate the Domain A credentials to access Domain B resources, but it doesn't sound like that is possible in your setup.

           

          The most straightforward approach would be to publish to a Microsoft SQL Server target because then you could use SQL Server authentication to access the data from Spotfire. As you noted, the SQL Server target is not available in the Business Intelligence Edition, but your existing Business Intelligence Edition license does translate to the PI Integrator for BA 2018 Standard Edition, which includes Microsoft SQL Server targets. I know that you said that you did not want to use the latest version because you cannot upgrade your AF server at this time, however.

           

          -Laura

          2 of 2 people found this helpful
            • Re: PI Integrator for Business Analytics: Authentication accross non trusted domains
              mkreideweis

              Hi Laura,

               

              thank you for your answer. I'd prefer to put the integrator (with PI SQL DAS)  on the AF Server-machine for the test. I just talked about that authentication question also with another Techsupport-Engineer on the phone and it seems that it works accross non-trusted domains by using an untrusted ODBC-connection. Then the domain-user, which runs the integrator- and SQL-DAS-Service is configured in the ODBC-connection-string. In this case no user-specific authentication would be possible of Spotfire-users and we could not configure user-specific PI Views.

               

              Sorry, SQL Server was my mistake. We have an Oracle Database in Domain A. Publishing into the database with an other edition of the Integrator would be the most straightforward approach also from my point of view. Thank you for the information about the PI Integrator for BA 2018 Standard Edition. That could be something for the future. End of next year we plan to upgrade.

               

              Independant of the type of publish target: do I need to have any concerns about the performance when configuring for example 5000 streams (PI-Tags) in a timeframe of 3 months with a time-resolution of 1min and an update every minute?

               

               

              Thank you and kind regards

               

              Michael

            • Re: PI Integrator for Business Analytics: Authentication accross non trusted domains
              Roger Palmen

              You could build a workaround such that in the SQLserver DB where the integrator stores the data in tables identified with a GUID, you create views to convert these into the name of the view in the integrator.

              Now you only need to get access to SQLserver from Spotfire, which should be a single hop.

               

              Why the BI edition has this odd limitation is beyond me. It introduces a lot of unnecessary components to get to the data, while in the end the data is in SQL anyway...