6 Replies Latest reply on Sep 26, 2018 12:45 PM by jdryden

    PI Vision -  slow to load over domain trust

    rmeyskens

      We are trying to access a vision server over a one way windows domain trust. The application takes 10 or more seconds to load.

       

      Vision server - domain A

      End clients - domain B

       

      Domain A trusts the users from domain B. Opening vision on domain A is fast with no delays. Once vision is open, I can open a new web browser and it opens immediately, however if I let the browser sit for 30 seconds or more then it takes 10 seconds plus to load up again.

      Does anyone have any ideas what could be causing these slow downs? I have tried disabling all the firewall rules between the machines and that did not make any difference.

        • Re: PI Vision -  slow to load over domain trust
          Steve Boyko

          Is there any chance the problem is at the server side? Is the Vision server sharing resources with other applications?

           

          I suggest you press F12 in your browser to open the developer tools. Select the Network tab, and observe the traffic that happens and any errors that occur after it sits idle and then you reload.

          1 of 1 people found this helpful
          • Re: PI Vision -  slow to load over domain trust
            jdryden

            Hi Randy,

             

            Authentication across domain trust boundaries can introduce latency in the authentication requests, sometimes resulting in significant delays depending on the nature of the domain trust relationship. This MS blog post does an excellent job of explaining how this scenario can become a problem when using NTLM authentication. I would guess that you are being affected by similar authentication slowness as described in that post.

             

            If you are using a Forest trust (instead of an external trust), you may be able to use Kerberos authentication across the domain trust boundary to authenticate to PI Vision. Doing so usually requires accessing PI Vision by a fully qualified domain name (FQDN) with a suffix that matches the target domain (Domain A in your example).

             

            Details on the types of domain trusts and the effects they can have on PI Vision can be found in KB01709 - Kerberos Delegation across multiple domains.

             

            --James

            7 of 7 people found this helpful
              • Re: PI Vision -  slow to load over domain trust
                Roger Palmen

                Very helpful reply. This should be included into the PI Vision manuals too!

                 

                We've had similar issues in a recent project, and before you found the root of your performance problems, you are at the end of your project. While you should have tackled this problem at the very first design and architecture stages of your project...

                 

                Floris Zwaard: must read!

                  • Re: PI Vision -  slow to load over domain trust
                    Floris Zwaard

                    Thanks Roger Palmen!

                    The option for external trust to allow Kerberos authentication with Kerberos Forest Search Order (KFSO) definately new to me! As this talks all about SPN's I have no answer jet if this would work with RBCD(Resource-Based Contraint Delegation) though...

                    So if DC's are 2008R2 or higher, kerberos authentication(and therefor (Kerberos) delegation) IS possible with External domain trusts! It requires also changes on the trusted(ACCOUNT in the example) domain controllers though! And not really well supported for what I understand.

                    Here is a very detailed explenation:

                    https://jorgequestforknowledge.wordpress.com/2011/09/14/kerberos-authentication-over-an-external-trust-is-it-possible-part-6/

                     

                    James Dryden, under Two Way Trusts scenario it states; "For two-way external trusts..... " Is that true? Or should that be "For two-way domain trusts.... " ?

                    Sorry, when reading again I see the requirement for 'protocol transition'. This means Basic Authentication.

                     

                    Randy Meyskens did you check after you got authenticated in PI Vision from the trusted domain, you can actually get a trend with data from PI Data Archive? In other words do you know if it uses Kerberos authentication(and if delegation works). If so, and it is an external trust indeed, it could well be the delay mentioned in the last paragraph of KB01709 - Kerberos Delegation across multiple domains.

                    If no kerberos authentication is used then the delay can be caused of the 'negotiate' or protocol transition(if basic authentication is enabled as well) process.

                    It means the client browser(IE by default) will try kerberos first and if it finally fails uses NTLM or basic.

                    1 of 1 people found this helpful
                      • Re: PI Vision -  slow to load over domain trust
                        jdryden

                        Hi Floris,

                         

                        A word of caution about KFSO -- Microsoft has specifically cautioned that KFSO was not intended to provide Kerberos authentication over an external trust. See the "More Information" section of KB 2977475. That said, if an AD administrator can weigh the risks of negative impacts and they are acceptable, then it may be a way to "hack" an external trust into working with Kerberos auth.

                         

                        Also, a clarification about mentions of protocol transition in KB01709 -- this is referring to a transition from NTLM to Kerberos using the S4U2self extension. In general, when PI Vision uses Basic authentication to authenticate its users, Kerberos delegation is no longer a concern since IIS possesses the user's plaintext credentials and can construct an impersonation-level Windows token from them. This token can then be used to impersonate the end user in connections to remote resources, without needing to use Kerberos authentication/delegation for that impersonated connection. In other words, when using Basic auth in PI Vision, the connections to the PI/AF Servers can use NTLM without any issue.

                         

                        --James

                        4 of 4 people found this helpful
                  • Re: PI Vision -  slow to load over domain trust
                    rmeyskens

                    Thanks for the replies. I will have our system admin take a look at some of these suggestions.

                     

                    Once the Vision loads we are able to get data from the PI Data Archive and AF.