3 Replies Latest reply on Oct 15, 2018 3:29 AM by Eugene Lee

    Issue with PIWebAPI not connecting to Data Archive

    CarlB

      Hello,

       

      I’m trying to troubleshoot an issue with our PIWebAPI, using Basic authentication, not being able to get data from our PI Data Archive. Up front, I’m not super familiar with permissions in PI, so please forgive me if I sound like I have no idea what I’m talking about.

       

      Our setup looks something like this:

      netdiag.png

       

      What we’ve done so far:

      • I have removed the second PIWebAPI Server from the load balancer for now to simplify troubleshooting.
      • Set the Authentication attribute to “Basic” on API1’s System Configuration
      • On the API1 we created a local user (non-domain user) for the external client to use to access the PIWebAPI.
      • I have not created a mapping on to this user on the AF database; I get this error when attempting to find the user: Cannot connect to the PI Data Archive. Windows authentication trial failed because the authentication method was not tried. Trust authentication trial failed because insufficient privilege to access the PI Data Archive.
      • If I manually type in API1\UserName I get an error that states: The account name is invalid.
      • We have done nothing regarding permissions to the PI Data Archive

       

      Anonymous authentication works fine. The local user we created can authenticate to the PIWebAPI, but cannot get any data from the PI Data Archive. It fails with the following error: Cannot connect to the PI Data Archive. Windows authentication trial failed because the authentication method was not tried. Trust authentication trial failed because insufficient privilege to access the PI Data Archive.

       

      Kerberos is failing with the same error, but I can query the search database.

       

      I’m think that I either need to figure out the mapping issue on the AF server or we need to create a user on the PI Data Archive. So my primary question is, where is the breakdown happening, at the AF Server or the Data Archive? Also, any ideas why I’m having issues when trying to search for a user in the Mappings screen in the AF database (I believe this is an issue with the load balancer... are we missing a port or something on the LB; does it have to be done on each node individually)?

       

      Thank you!
      Carl

        • Re: Issue with PIWebAPI not connecting to Data Archive
          Eugene Lee

          I take it that you want to use Basic authentication for your PI Web API instance. If that is the case, I suppose that your machines are not in a domain. Otherwise, you should be using Kerberos authentication.

           

          For Basic authentication, the PI Web API instance will authenticate using NTLM with the end user account. See this Container Kerberos Double Hop blog with the table at the end.

           

          Therefore, to give the appropriate permissions for your PI Web API instance to authenticate to your PI Data Archive, you should give a PI mapping to the local end user. This local user will not exist on your PI Data Archive machine so you will need to create it manually with the same username and password as the one on the PI Web API machine. You will have to do the same for your AF Server machine (the reason why you have issues when trying to search for the user is because it doesn't exist!)

           

          Alternative, you can give a PI trust to the PI Web API machine but that is not recommended. The most recommended way will be for your machines to be in a domain and proceed to use Kerberos authentication for your PI Web API instance. This will entail the correct configuration of Kerberos delegation for your environment which might be more complex if you are unfamiliar with it.

          3 of 3 people found this helpful
            • Re: Issue with PIWebAPI not connecting to Data Archive
              CarlB

              Eugene, thank you for the response!

               

              We do indeed want to use Basic authentication instead of Kerberos. All of the machines are joined to our domain, but we need to allow a third party contractor to access the WebAPI from outside our network (we're white-listing IP's and have a certificate on the API Load balancer to improve security).

               

              Just to verify I'm understanding correctly, we need to create the local user (with the same username and password) on the AF servers and the PI DA servers. Then create a mapping on the AF server to allow read access to the DA?

               

              Thank you!
              Carl