5 Replies Latest reply on Jul 9, 2018 5:10 PM by jengler

    Require Host Headers + PIVision

    vint.maggs@srs.gov

      Hello All,

           I am running the latest release of PIVision on W2K12R2. I am attempting to comply with the CIS Microsoft IIS 8 Benchmark, v 1.4.0. 

           Setting 1.1.2 requires setting host headers for all sites. When I enable it (entering a FQDN for port 443) I get massive errors. "Data error: Cannot connect to the PI Data Archive. Windows authentication trial failed because insufficient privilege to access the PI Data Archive. Trust authentication failed because insufficient privilege to access the PI Data Archive."

           Can someone explain why this is happening? Am I misinterpreting the requirement? It says (page 12) "For all non-SSL sites..." Do you think that includes TLS? W2K12 uses TLS 1.2 by default.

       

      Thanks,

      Vint

        • Re: Require Host Headers + PIVision
          jengler

          Hi Vint,

           

          Port 443 is the standard port that websites use for SSL (https) connections. TLS effectively supersedes SSL, so in this case you may not need to comply with setting 1.1.2 anyways. That being said, it appears that Kerberos is not working for your FQDN. This could be because a SPN is missing, or a web API configuration issue. See: PI Vision for more details about setting up Kerberos for PI Vision.

          1 of 1 people found this helpful
            • Re: Require Host Headers + PIVision
              vint.maggs@srs.gov

              Hey Jacob,

               

                   While I am not an expert in certificate signing and Kerberos Delegation, I believe that Kerberos is working properly. I completed the whole SPN process as prescribed.  Output from the setspn -l command includes PIServer for both data archive boxes and AFServer for the af server, which is also hosted on the PIVision server.

               

                   What I did not do, however, was submit a certificate request for the two data archive servers to IT as there was no direction to do so. All servers a domain joined, btw.

               

                   I think I am fine, but I guess I am having difficulty interpreting the meaning of "For non-SSL sites, ensure that the IP:port:host triplet contains a host name." If I take this literally, (eg, not TLS) then I am compliant with requirement 1.1.2.

               

                   I would like to understand why setting this breaks PIVIsion / IIS though.

               

              Thanks,

              Vint