18 Replies Latest reply on May 23, 2012 8:01 PM by jlakumb

    Connect to a PI Server using a network credential

    snepes

      Hi,

       

      I need to connect to a PI Server using a network credential. Is that possible?

       

      I'm wondering if exist in PISDK something like the AF SDK method Connect(NetworkCredential).

       

      Thanks!

       

      Ludmila Lopes

        • Re: Connect to a PI Server using a network credential
          Ahmad Fattahi

          Please take a look at the IServerConnect interface of the Server object in the PI SDK user manual. The IServerConnect interface is a secondary interface supported by the Server object. The interface has properties and methods to support the enhanced security model introduced with the 3.4.380 PI server.

            • Re: Connect to a PI Server using a network credential
              snepes

              Ahmad,

               

              Could you send me a sample? I didnt find anything related in the PI SDK user manual.

               

              Thanks for your help.

               

              Ludmila Lopes

                • Re: Connect to a PI Server using a network credential
                  Ahmad Fattahi

                  Sure! The best resource is section 7.7 in the PI Application Development Training Course available in the Training Center. It explains different methods of connection to the PI Server and follows up with examples and best practices in each method (examples are on pp. 45-46 in the current version of the book).

                    • Re: Connect to a PI Server using a network credential
                      lgferrao

                      Hi Ahmad,

                       

                      I work with Ludmila... I'll try to explain more about our scenario...

                       

                      We built a component to make transparent for us getting data in AF and PI.

                       

                      Each application must send to this component an user network key or an application network key to be used to authenticate in AF and PI. These keys are authorized to read data in AF and PI.

                       

                      This network key is used to connect with AF in this way:

                       

                      PISystem pisystem = systems["pisystemname"];

                       

                      pisystem.Connect(new NetworkCredential("domain\\key", "password"));

                       

                      This works fine to connect with AF, but to PI not.

                       

                      We hope that, transparently, the same network credential used to connect in AF was used to connect in PI.

                       

                      But in tests with an application publish in IIS, we perceived that the PI server received the process user of IIS, not the network credential defined.

                       

                      What we could do to force the PI server receive the network credential?

                       

                      The solution must complain with stand alone apps, asmx web services and WCF too.

                       

                      Thans, again, for your help.

                       

                      Luis Ferrão.

                        • Re: Connect to a PI Server using a network credential
                          Ahmad Fattahi

                          Luis,

                           

                          I don't know if you had a chance to review the reference I provided in my previous post. For  PI Server, you would need to define a PISDK.Server object and then use the Open() method to open a connection. You can specify connection options, such as user name and password, in a connection string that you would pass along. Here is an example from the document I mentioned above. I have to mention that this is only one way to make the connection to  PI Server. I would encourage you to review the above documents that discusses in detail different methods. You can choose the one that best suits your requirements.

                           
                          'Variables / Objects.
                          Dim MyPISDK As New PISDK.PISDKClass
                          Dim PIServer As PISDK.Server
                          Dim ConnectionString As String = Nothing
                          
                          'Set a unique identifier for your application.
                          MyPISDK.Identifier = "00000000-0000-0000-0000-000000000000"
                          
                          'Set the Connection String.
                          ConnectionString = "UID=piadmin;PWD=piadmin;SERVERROLE=Any;"
                          
                          'Set a reference to the PI Server.
                          PIServer = MyPISDK.Servers.DefaultServer
                          'Open the connection
                          PIServer.Open(ConnectionString)
                          

                          Also note that PI Server and AF Server are two different servers each with its own SDK.

                           

                          As for PI Web Services, it is a different Data Access technology into the PI System (both PI Server and AF Server). It is quite different than the SDKs you mentioned above. This vCampus-exclusive Webinar gives a very good overview and understanding of the technology and its use cases.

                           

                           

                            • Re: Connect to a PI Server using a network credential
                              snepes

                              Ahmad,

                               

                              Maybe we didn't make ourselves clear.

                               

                              We already tried this approach and we weren't succeed because the user especified at the connection string is a PI User, not a network credential as we need.

                               

                              As Luis Ferrão said: "We hope that, transparently, the same network credential used to connect in AF was used to connect in PI." but it isn't happen. PISDK always use the user that is logged in the machine (stand alone applications) or the process user of IIS.

                               

                              In other words, our application is able to connect to AF but when We try to get a value (PIPoint), we received a error message because the user that pisdk is sending don't have privilege enough at PI Server.

                               

                              Thanks for your help.

                                • Re: Connect to a PI Server using a network credential
                                  Ahmad Fattahi

                                  OK, now I see it better. So we can connect but the user doesn't have sufficient privileges on the PI Server or the specific PI tags? Can you create a mapping on the PI Server to map the Windows user to a PI identity with sufficient privileges? This way you can use implicit connect to the PI Server and then take care of the identity mapping on PI Server.

                                    • Re: Connect to a PI Server using a network credential
                                      hanyong

                                      I am going to offer a different perspective from Ahmad regarding your question here, because it seems to me that you are looking for a similar way to pass a specified credentials to PI Server for authentication, pretty much like how it will work in AF SDK with the PISystem.Connect(NetworkCredentials nc) method. 

                                       

                                      There is no equivalent method in PI SDK where you can pass a domain credentials as a connection parameters. And you are right that if we specify a username and password in the connection string in Server.Open, it is taken to be a PI User credential, not a Windows or Domain credentials. 

                                       

                                      In this case, you probably have to look at performing IIS impersonation such that your desired credentials is passed to PI Server for authentication. There are some older discussion regarding this. You can look at it here, or here.

                                       

                                      Can I also ask if your application on IIS authenticating the users? Is it an intranet application that authenticates using the user's domain credentials or its an application that is exposed to users on the internet where you do form authentication or accept anonymous connection? This would affect how you should be configuring IIS.

                                       

                                      Hope this helps

                                      • Re: Connect to a PI Server using a network credential
                                        lgferrao

                                        Hi Ahmad,

                                         

                                        We guarantee that the user we were using to connect to AF and PI has all the necessary privileges to performing what we want in each server.

                                         

                                        We tried to use a code like this:

                                         

                                        // Defining the connection to AF...

                                         

                                        PISystem pisystem = systems["pisystem_name"];

                                         

                                        pisystem.Connect(new NetworkCredential("domain\\key", "password"));

                                         

                                        // Forcing the connection to PI servers referenced in AF database...

                                         

                                        PISDK.PISDK sdk = new PISDK.PISDK();

                                         

                                        Server server = sdk.Servers["pi_server_name"];

                                         

                                        server.Open("UID=domain\\key;PWD=password;SERVERROLE=Any;");

                                         

                                        But the last line produces the following error message (exception): "Unable to open a session on a server.  The user name and password may be incorrect."

                                         

                                        We guarantee that the user and password are correct!!

                                         

                                        So, our problem is define a way to connect, forcibly or no, to piserver using the same credential key used to afserver.

                                         

                                        It's important to know this credential key, in some applications, don't need to have, necessarily, any relation with the user that will use these application. This is the main reason that makes impersonation don't work in our case, like proposed by Han Yong.

                                  • Re: Connect to a PI Server using a network credential

                                    Luis Gustavo Ferrão

                                    We built a component to make transparent for us getting data in AF and PI.
                                    This statement is intriguing to me... I would like to better understand what you are trying to achieve - and, especially, if you had to put this together because of a shortcoming in our PI Data Access family (e.g. PI Web Services).

                                     

                                    I would appreciate if you could please share more details about this, either here in public or you can contact me in private at spilon@osisoft.com, if some of that stuff is more sensitive.

                                      • Re: Connect to a PI Server using a network credential
                                        jlakumb

                                        Ahmad Fattahi

                                        Also note that PI Server and AF Server are two different servers each with its own SDK.

                                         

                                        This statement is correct; however, the goal is to move towards a common "PI System SDK" which provides data access to the full capabilities of the PI Server (time series, assets, event frames, notifications, etc.).  This vision was initially described by John Baier at vCampus Live! 2011 and again at UC 2012 in the PI System Roadmap talk.  The next release of PI AF 2012 will take a significant step in this direction with PI AF SDK and RDA -

                                         

                                        http://vcampus.osisoft.com/bloggers_place/b/pm/archive/2012/02/10/pi-af-sdk-rich-data-access.aspx

                                        • Re: Connect to a PI Server using a network credential
                                          lgferrao

                                          Hi Steve,

                                           

                                          We have an AF database with information about a large number of equipments, structured about an unique vision.

                                           

                                          However, our applications need their own vision about this structure, each one, in their business perspective.

                                           

                                          Trying don't replicate these data in databases or structures for each application, we created a component that allow us to create visions about this unique structure, based on queries about one element or families of elements.

                                           

                                          In addition, for each element we get in these queries, we get their pipoint values. For this reason we need to solve the problem put in this thread.

                                           

                                          This approach hides (makes transparent) for developers worry about the AF an PI SDK APIs, because they use the simple component API, that is the same for .Net and Java languages.

                                            • Re: Connect to a PI Server using a network credential
                                              skwan

                                              Luis:

                                               

                                              To add to Jay's comment above, I encourage you to take a look at the AFSDK/RDA webinar here: vcampus.osisoft.com/.../15224.aspx

                                               

                                              If you're interested in exploring the AFSDK/RDA, you can download the CTP2 here.  It includes full documentation if you install the developer tools: [DEAD LINK] vcampus.osisoft.com/.../16129.aspx

                                                • Re: Connect to a PI Server using a network credential
                                                  lgferrao

                                                  Hi,

                                                   

                                                  I'll try to use the AFSDK/RDA package...

                                                   

                                                  However, it seems to me don't be a reliable component, in this moment, to be used in production environments.

                                                   

                                                  So, I understand that PI SDK doesn't have any feature that allow connect to PI Server using a network key, like we described in the previous posts.

                                                   

                                                  Am I right about these understandings?

                                                   

                                                  Thanks again!

                                                    • Re: Connect to a PI Server using a network credential
                                                      cmanhard

                                                      AF SDK 2012 (2.5) CTP2 build does not yet have the ability to connect to a PI Server using a windows passed credential in this manner, only to the AF Server.  The method is exposed - PIServer.Connect(NetworkCredential) - but with the currently posted CTP2, it only functions with PI User/Password and not Window's User/Password.  It is our intent to have this issue addressed, but the CTP2 release will not be helpful for you in this regard.

                                                       

                                                      Chris

                                                        • Re: Connect to a PI Server using a network credential
                                                          jlakumb

                                                          Hi Luis,

                                                           

                                                          I just want to verify something about this discussion thread.  Are you looking to provide a specific username\password for a particular application?  In other words, will it *always* connect to the PI Server using one specific username\password (i.e. trusted subsystem):

                                                           

                                                          msdn.microsoft.com/.../aa905320.aspx

                                                           

                                                          Or, are you trying to impersonate the user and may connect using different credentials depending on who is the user?

                                                           

                                                          If it is the trusted subsystem model, then this works today.  However, if you actually need impersonation with alternate credentials, then it will require an enhancement on our side.

                                                           

                                                          Jay Lakumb, PI SDK PM

                                                            • Re: Connect to a PI Server using a network credential
                                                              jlakumb

                                                              Reply from Luis on 5/23/12:

                                                               

                                                              I'm answering this e-mail direct to you because I didn't find your post in the thread...

                                                               

                                                              I didn't know the concept of Trusted Subsytems... I'll read the paper that you indicated.

                                                               

                                                              Yes, I'm looking to provide a specific username\password for a particular application to always connect to PI Server using it. This username is a network credential key in our domain network. This key is properly associated to AF database and PI tags in the related servers.

                                                               

                                                              We have a presentation layer in Silverlight that connects with a WCF Service. This service provides a three of elements and attributes values, like the model used in AF. The tree of elements are obtained from the AFElements structure (a view ot them). And the attributes values are obtained from PI. We connect to AF using this username and hope to do the same with PI (transparently or no).

                                                               

                                                              We send the user credential in service calls, but to use it for other purposes. To connect to PI and AF we want to use always a specific username/password.

                                                               

                                                              Could you explain how can we configure our application/servers to get this goal?

                                                               

                                                              Thanks a lot!

                                                                • Re: Connect to a PI Server using a network credential
                                                                  jlakumb

                                                                  Ok, this sounds like the trusted subsystem model.  Note that this is appropriate when security is handled at the application layer.  For example, users are authenticated and authorized by the application, which then connects to the PI System using an account that has full access to the PI System data.

                                                                   

                                                                  PI Web Services supports the trusted subsystem model (see Enable or Disable Impersonation in the User Guide), and all web service calls are granted access to PI Server through PI Trust using the IIS application pool identity.  Since you have a custom web service, perhaps you can try to use a similar configuration?

                                                                   

                                                                  Let us know if this works or if you have more questions.