1 Reply Latest reply on Aug 6, 2018 10:41 AM by gregor

    PI AF Connectivity issue. Ensuring the impersonated client user can be delegated to the server.

    Dava

      Hi all,

      I've been searching and I found severals questions related to the delegated to the server.
      Cannot connect to server 'ServerName'. Please examine connectivity to the remote PI AF Server as well as ensuring the impersonated client user can be delegated to the server.

       

      But most of all are related to the PI Web API application. So, that is why I'm posting this question.

       

      I develop a  web asp.net MVC application, to connect to PI and display information. Using the PI AFSDK and the impersonation feature in Asp .Net
      We are testing it in  network architecture with 3 boxes (servers):

      1) PI AF
      2) PI server (archives)
      3) The IIS server with the web app.

       

      The issue, I'm having is when I try to impersonate an user launching the web app in any of the server.
      Cannot connect to server 'ServerName'. Please examine connectivity to the remote PI AF Server as well as ensuring the impersonated client user can be delegated to the server.

       

      Checking other questions like:
      https://pisquare.osisoft.com/message/97464-re-online-training-programming-in-pi-web-api-online-course-april-2017-questio…

      and

      https://pisquare.osisoft.com/community/developers-club/blog/2017/03/17/the-pi-developers-club-pod-uc-2017#comment-10672 

       

      Talk about the issue is related to Kerberos Delegation and the PI AF service (I'm using the NT SERVICE\AFService).

      Honestly I'm lost, I want to understand if the issue is like and PI AF configuration to do.
      Or is more IT configuration in the domain (active directory)

       

      My apologies is the question sounds like a old conversation but , most of the anwser are related to the web API.
      And I'm not using it

       

       

       

      Regards

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

       

        • Re: PI AF Connectivity issue. Ensuring the impersonated client user can be delegated to the server.
          gregor

          Hello David,

           

          The issue you are facing is pretty similar to what PI Web API users see if 'Kerberos' is chosen as authentication method but the PI Web API Service needs to forward the ticket for authentication to the AF Server and / or PI Data Archive and Kerberos Delegation is not enabled. Kerberos Delegation means forwarding the Kerberos ticket over multiple hops.

           

          If you set up your application pool to execute under local credentials starting with "NT SERVICE\", "LOCAL SYSTEM\" or "LOCAL SERVICE\" you need to trust the web host for delegation. This is also referred to as Unconstrained Delegation and not recommended.

          If you set up your application pool to execute under a domain user account or even better a Managed Service Account, you can set up Constrained Delegation based on the account.

           

          Please refer to KB01222 - Types of Kerberos Delegation for detailed information.

          To learn more about Managed Service Accounts, please refer to this blog written by Lubos

          2 of 2 people found this helpful