2 of 2 people found this helpful
The issue you are facing is pretty similar to what PI Web API users see if 'Kerberos' is chosen as authentication method but the PI Web API Service needs to forward the ticket for authentication to the AF Server and / or PI Data Archive and Kerberos Delegation is not enabled. Kerberos Delegation means forwarding the Kerberos ticket over multiple hops.
If you set up your application pool to execute under local credentials starting with "NT SERVICE\", "LOCAL SYSTEM\" or "LOCAL SERVICE\" you need to trust the web host for delegation. This is also referred to as Unconstrained Delegation and not recommended.
If you set up your application pool to execute under a domain user account or even better a Managed Service Account, you can set up Constrained Delegation based on the account.
Please refer to KB01222 - Types of Kerberos Delegation for detailed information.