2 Replies Latest reply on Jun 26, 2018 9:43 AM by mkreideweis

    Service type "PIServer" missing after configuring Kerberos delegation and restarting PI-Server




      we have the following environment:

      -PI Data Archive Server 2012 SP incl. Patch 3.4.390.18 (OS: Windows Server 2008 R2 SP 1)

      -PI AF Server 2017 R2 Update 1 incl. SQL Server 2016 SP1 Enterprise (OS: Windows Server 2016)

      -PI Vision Server 2017 R2 Update 1 (OS: Windows Server 2016)


      I configured the SPNs for the custom PI-Vision-Service-Account using the commands "setspn -S http/netbios-server-name domain\service-account" and "setspn -S http/fully-qualified-DNS-name domain\service-account", because the PI Vision services and the application pools run under this custom PI-Vision-Service-Account. Afterwards I configured the Kerberos delegation for this custom PI-Vision-Service-Account like in the following screenshot.



      Then I tested to login to the PI Vision website from remote and the delegation worked. Afterwards I restarted all 3 servers mentioned above and the delegation did not work anymore. After some research I found out that the service type "PIServer" was not available anymore and found the following messages in the PI Server message log. The first message occurred when stopping the PI Server and the second occurred when starting the PI Server:

      >> SPN unregistration succeeded for CN=PIServer_Hostname,...

      >> SPN registration failed. Error code was: [1355] The specified domain either does not exist or could not be contacted., message context: SpnRegister: GetUserNameEx size query failed. Windows authentication using Kerberos will not function without manual intervention.


      The error [1355] now always occurs when restarting the server. Also taking the PI-Server out of the domain and in again did not solve the issue. The service type "PIServer" is still missing.


      Do you have any idea what the reason could be for that the service type "PIServer" is missing and what I could do create it again?



      Thank you and kind regards



      ·         setspn -S http/netbios-server-name domain\service-account
      (bspw. setspn -S http/emom0vpivs01 gwip\pivisionservice)

      setspn -S http/fully-qualified-DNS-name domain\service-account

        • Re: Service type "PIServer" missing after configuring Kerberos delegation and restarting PI-Server

          Hi Michael,


          It seems to me you could be running into either of the following work items: WI102768 or WI172056


          I have seen behavior like this in the past. Essentially, upon startup, pinetmgr is failing to create the IPv4 listener, so no connections can be made.

          There is probably a delay for the listener to open, so pinetmgr is unable to create the SPN. I would recommend adding a startup delay to the pinetmgr service.


          Let me know if that works!

            • Re: Service type "PIServer" missing after configuring Kerberos delegation and restarting PI-Server

              Hi Jacob,


              the work item WI102768 you mentioned was the correct hint. The issue actually occurred because of a too early start of the pinetmgr-service. First I wondered why this happens in our system, because the startup of our PI-Server is done by a scheduled Task which calls pisrvstart.bat after waiting 2 minutes and resynchronizing time with the domain. But 2 PI-related services, which have a dependency to the pinetmgr-service, had not been set to starttype "manual", but were still configured as starttype "automatic". Therefore the pinetmgr-service had been started before the scheduled Task calls pisrvstart.bat. After setting also these 2 services to starttype "manual" the pinetmgr-service succeeds in registering the SPN.



              Thank you for your help and kind regards