AnsweredAssumed Answered

Deploy/Publish PIVision to Internet Error 401 Unauthourized

Question asked by SeanLi on Aug 16, 2018
Latest reply on Aug 17, 2018 by SeanLi

Hi Everyone,

 

Sorry, I didn't finish the question on the previous disscusion.

We have a client who wants to deploy PI Vision to the internet with third party certificate.

 

Situation:

Kerberos Delegation Okay

Ethernet visit Okay (Manually edit host file on local machine for clients who are in the ethernet but not in the domain are also okay)

Third parrty Certificate Okay (Ethernet visitors are able to visit pivision with domain account and "Green Lock" appeared on the left corner of the browser)

Data retrieving Okay (With the correct authetication and authourization assgining)

PI WebAPI works Okay

 

Starting from here, we are planning to deploy pivision to the internet per client's request.

They have bought a public DNS, the domain name and have public IP. They bind the PI Vision web server to the public IP using DNS A record pointing.

 

Problems:

We are able to PING the full FQDN of pivision web server (pivision.mydomain.com), and it responds with the correct public IP.

However, when we visit with the corrent URL (https://pivision.mydomain,com/pivision) in brower on the Internet. It keeps prompting with the login window even if we enter the correct account (Domain\MYPivisionAdminAccount) and gave us the 401 Error. This account is able to be used to log on PI Vision system with no errors in the Ethernet.

 

When we checked the Event Log on PI Vision Web Server, it has no related authentication records/logs for visitors who are trying to visit the server on the internet. We believed that the account info never reached to PI Vision Web Server.

Note: We have not set up any IIS users. We only use domain accounts.

 

Related Configurations:

Windows Authentication in IIS: Enabled (Negotiate)

Basic Authentication in IIS:Enabled

Anonymous Logon in IIS: Enabled (Use application pool identity)

Application Pool in IIS: use the domain service account with the correct rights

Configuration Editor in IIS: UseAPPPoolAccount: True; Use Kernal Mode: False

SSL Setting in IIS: Required SSL(Q), Client Certificate: Ignore

IE Browser: Added the site as safe site and configured the security (automatically use current user name and password to log on)

Other Browsers: same error

No Proxy Server or any other setting except for DNS A record pointing.

 

Please inform, any thoughts, any additional configurations or setup need to be done while deploying PI Vision to the internet. There is not much info in the document. I am not very fimilar with tracing the cookies or anything similar to find out where the Login request are sent to.

 

Thank you for your time!!!!

 

Yuxiang Li

 

Outcomes