5 Replies Latest reply on Aug 17, 2018 12:57 AM by Jouni

    PI WebAPI misconfiguration - Can access Points but no AF elements/attributes?

    Jouni

      Hi all,

       

      As a developer I started to test on how we could visualise some metrics from PI/AF on our web based dashboards by pulling the data directly from PI WebAPI.

      WebAPI was configured by a 3rd party and I can access the WebAPI landing page https://<WebAPIServer>/webapi fine.

      However, I found out that I can't get any element or attribute data out through Elements-controller but reading PI Points works just fine.

       

      Working controllers

      Search : Searching PI Points and AF Elements & Attributes works fine
      Point:  GetByPath and Get work as expected

       

      Not working

      Elements?Path=<PATH> : All queries to result "The specified path was not found. If more details are needed, please contact your PI Web API administrator for help in enabling debug mode."

      Elements/<WEBID> : All queries result "An exception has occurred. Please contact your PI Web API administrator for help in enabling debug mode."

      Attribute : Same errors as with Element-controller

       

      Troubleshooting done so far

      Problem is not caused by incorrect URL.
      I did search which resulted both AF elements and PI Points with "Self" link.

       

      "ItemType": "afelement",

      "Links": {

      "Self": "https://<WEBAPISERVER>/piwebapi/elements/F1EmMgfWBv0GMUyvfXrkrTO19QYgpfg9R06BGWaESFAK13FgTVJQLVBJQVBQLVAwMVxERVZFTE9QTUVOVCBNRVJDVVJZIEFTU0VUU1xLQVdFUkFV" - FAILS

      },

      "ItemType": "pipoint",

      "Links": {

                  "Self": "https://<WEBAPISERVER>/piwebapi/points/F1DPWHN4jVUdw0GVEdzXExuKgwtUwAAASEFNLVBJLU5cS0FXLUxBQi1IMlMx" - WORKS

              }

      Other findings:

       

       

       

      I checked the output of AssetServers and DataServers controllers and one thing caught my eye;

      https://<WEBAPISERVER>/piwebapi/dataservers outputs

      {   
           "Links": {},  
           "Items": [    
            {      
                 "WebId": "F1DSWHN4jVUdw0GVEdzXExuKgwSEFNLVBJ",
             "Id": "8d787358-1d55-41c3-9511-dcd7131b8a83",
             "IsConnected": true,
            "ServerVersion": "3.4.415.1188",
             "Links": {
               "Self": "
      https://<WEBAPISERVER>/piwebapi/dataservers/F1DSWHN4jVUdw0GVEdzXExuKgwSEFNLVBJ",
               "Points": "
      https://<WEBAPISERVER>/piwebapi/dataservers/F1DSWHN4jVUdw0GVEdzXExuKgwSEFNLVBJ/points",
               "EnumerationSets": "
      https://<WEBAPISERVER>/piwebapi/dataservers/F1DSWHN4jVUdw0GVEdzXExuKgwSEFNLVBJ/enumerationsets"
             }
           }
         ]
      }

      https://<WEBAPISERVER>/piwebapi/assetservers outputs

      {
         "Links": {},
         "Items": [
           {
             "WebId": "F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ",
             "Id": "06d60732-06fd-4c31-af7d-7ae4ad33b5f5",
             "Name": "<af_server_name>",
             "Description": "",
             "Path": "\\\\<af_server_name>",
             "IsConnected": false,
            "ServerVersion": "",
             "ExtendedProperties": {},
             "Links": {
               "Self": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ",
               "Databases": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/assetdatabases",
               "SecurityIdentities": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/securityidentities",
               "SecurityMappings": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/securitymappings",
               "UnitClasses": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/unitclasses",
               "AnalysisRulePlugIns": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/analysisruleplugins",
               "TimeRulePlugIns": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/timeruleplugins",
               "Security": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/security",
               "SecurityEntries": "
      https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/securityentries"
            }
           }
         ]
      }

      None of the links in JSON response above work and result "An exception has occurred. Please contact your PI Web API administrator for help in enabling debug mode"

       

      EDIT:
      I can get service to respond if I log on to webapi server through RDP and call the service one using localhost binding.

      Steps I've done to reproduce the behaviour

      1. On my local machine I navigate to https://<WEBAPISERVER/piwebapi/elements/<WebId> --> FAIL
      2. RDP to WEBAPISERVER
      3. Open browser on WEBAPISERVER and navigate to https://<WEBAPISERVER/piwebapi/elements/<WebId> --> FAIL
      4. Change URL on WEBAPISERVER to https://localhost/piwebapi/elements/<WebId> --> WORK
      5. Now repeating step 1 will work fine too.

       

      Also JSON reply from https://<WEBAPISERVER/piwebapi/assetservers now has "IsConnected" : true.

       

      Any ideas where administrator should look to get the AF side of WebAPI to work too?

        • Re: PI WebAPI misconfiguration - Can access Points but no AF elements/attributes?
          jyi

          Did you use the same identity to RDP into the machine? What authentication method are you using?

           

          Checking with af server admin if you have access to customer's AF Server/afdatabase seems to be the first priority.

          To see what user account you are using, go to below URL:

           

          https://<WebAPIServer>/piwebapi/system/userinfo

           

          {

            "IdentityType": "WindowsIdentity",

            "Name": "PISCHOOL\\webapiuser",

            "IsAuthenticated": true,

            "SID": "S-1-5-21-36!@#$%!787-44xxxxx90-33xxxxxxxxx44-1114",

            "ImpersonationLevel": "Impersonation"

          }

           

          The IsConnected property for that particular AF Server itself is not really important as a connection to AF is mostly stateless. If it's needed, it will be connected.

            • Re: PI WebAPI misconfiguration - Can access Points but no AF elements/attributes?
              Jouni

              Did you use the same identity to RDP into the machine? What authentication method are you using?

              Same identity. Strangely enough Web API AF access starts working after accessing https://localhost/webapi in RDP session, using the https://<FQDN_OF_WEBAPISERVER>/webapi does not change anything

               

              Checking with af server admin if you have access to customer's AF Server/afdatabase seems to be the first priority.

              I can access the AF server/database using PI System Explorer so I assume AF permissions are ok.

               

              {

                "IdentityType": "WindowsIdentity",

                "Name": "....",

                "IsAuthenticated": true,

                "SID": "S-1-5-21-1659004503-362288127-839522115-46149",

                "ImpersonationLevel": "Impersonation"

              }

               

              Thanks for clarifying the meaning of IsConnected flag.

              Based on the response time of first  request to https://localhost/webapi in RDP session, it looks like server is doing some initialisation.

              First load takes a long time to complete, after that AF is accessible and fast through WebAPI on both localhost and FQDN address bindings

                • Re: PI WebAPI misconfiguration - Can access Points but no AF elements/attributes?
                  jyi

                  Have you gotten below message before?:
                  "Errors": [
                  "Cannot connect to server 'AFServerName'. It may be that the impersonated client user account cannot be delegated to the remote AF Server."

                  ]

                   

                  If so, I would consider if 'constrained delegation' is configured for the PI Web API's Kerberos setting.

                   

                   

                  If not, what error message do you get when you do:

                  1) Connect to your PI web api server remotely using FQDN?

                  2) Navigate your AssetServers > Databases link

                  Databases": "https://<WEBAPISERVER>/piwebapi/assetservers/F1RSMgfWBv0GMUyvfXrkrTO19QTVJQLVBJQVBQLVAwMQ/assetdatabases

              • Re: PI WebAPI misconfiguration - Can access Points but no AF elements/attributes?
                James Devine

                Hi Jouni:

                 

                It is possible your user account is not authorized to access the data on that AF Server, (crazy right?). If you are running this in a development environment you can be a little more explicit in allowing yourself access. In a production environment you need to set up Kerberos and proxy authentication.

                 

                If you are working in a development environment, and I assume you have administrative rights on the AF Server then if you have not already done so be sure you have set up your chain of identities and mappings for yourself. Depending on your situation you may need an AF Administrator to set this up. Open PI System Explorer on the target AF Server. Click [File] on the main menu. Then click [Server Properties...]. This launches the 'PI AF Server Properties' dialog. Open the [Mappings] tab. Here is where you "map" your Windows user account to a PI AF "mapping". Typically the "mapping" name is the same as your Windows Active Directory User or Group name, but that is not a requirement.

                 

                Next go to the [Identities] tab and in your case (in development) you probably want to add your "mapping" to the "Administrators" identity or another identity with lots of access. Right click on "Administrators" select [Properties], which launches the "Identity Properties" dialog. Choose the [Mappings] tab and here you can add your "mapping" to the "Administrators" identity.

                 

                AF Identities are the key to accessing anything in your AF database. You can allow access to everything or nothing using AF Identities.

                 

                If you have successfully added yourself to the Administrators group or some other group you can go make sure that group has full access to the target AF database.

                 

                I am assuming you want the most access possible so take my advice here with the cautionary note this is not how you want to set it up in production.

                 

                Open your target AF Database in PI System Explorer. In the Elements mode right click on the highest node of the element tree 'Elements' and click [Security...] on the popup menu. This launches the "Security Dialog" for this AF Database. Here the AF Identities are in the left hand pane, and their access permission check boxes are in the right hand pane. You can decide how much or how little permission to allow. Finally select the 'Child Permissions' in the lower left. You can cascade this all access permission to the all the children in the element tree.

                 

                You may have to restart PI Web API, but this most often passes your identity via the PI Web API to the AF Database and therefore allows you to view the data.

                  • Re: PI WebAPI misconfiguration - Can access Points but no AF elements/attributes?
                    Jouni

                    This got me on track when figuring out the problem....  which was, embarrassingly enough, user error

                     

                    In the end it turned out that we had 2 servers running PI Web API. One on AF server and another on separate server for PI Vision.

                    Due the server naming, I was going on PiVisionServer/piwebapi thinking it's our only webserver with WebAPI, while in reality AFServer/piwebapi was the correct endpoint.

                     

                    Behaviours I've seen, especially AF connection coming alive after logging locally to AFServer, have been a bit confusing, but at least I can now get started with actual development task
                    Thank you Jimno Yi and James for helping me out.