AnsweredAssumed Answered

Service type "PIServer" missing after configuring Kerberos delegation and restarting PI-Server

Question asked by mkreideweis on Jun 25, 2018
Latest reply on Jun 26, 2018 by mkreideweis



we have the following environment:

-PI Data Archive Server 2012 SP incl. Patch 3.4.390.18 (OS: Windows Server 2008 R2 SP 1)

-PI AF Server 2017 R2 Update 1 incl. SQL Server 2016 SP1 Enterprise (OS: Windows Server 2016)

-PI Vision Server 2017 R2 Update 1 (OS: Windows Server 2016)


I configured the SPNs for the custom PI-Vision-Service-Account using the commands "setspn -S http/netbios-server-name domain\service-account" and "setspn -S http/fully-qualified-DNS-name domain\service-account", because the PI Vision services and the application pools run under this custom PI-Vision-Service-Account. Afterwards I configured the Kerberos delegation for this custom PI-Vision-Service-Account like in the following screenshot.



Then I tested to login to the PI Vision website from remote and the delegation worked. Afterwards I restarted all 3 servers mentioned above and the delegation did not work anymore. After some research I found out that the service type "PIServer" was not available anymore and found the following messages in the PI Server message log. The first message occurred when stopping the PI Server and the second occurred when starting the PI Server:

>> SPN unregistration succeeded for CN=PIServer_Hostname,...

>> SPN registration failed. Error code was: [1355] The specified domain either does not exist or could not be contacted., message context: SpnRegister: GetUserNameEx size query failed. Windows authentication using Kerberos will not function without manual intervention.


The error [1355] now always occurs when restarting the server. Also taking the PI-Server out of the domain and in again did not solve the issue. The service type "PIServer" is still missing.


Do you have any idea what the reason could be for that the service type "PIServer" is missing and what I could do create it again?



Thank you and kind regards



·         setspn -S http/netbios-server-name domain\service-account
(bspw. setspn -S http/emom0vpivs01 gwip\pivisionservice)

setspn -S http/fully-qualified-DNS-name domain\service-account