Steve Boyko

PI Performance Equation Difference in PI 2018 SP3 Patch 1

Discussion created by Steve Boyko Champion on Apr 17, 2020
Latest reply on Apr 20, 2020 by afink

I wanted to highlight one key difference in the latest version of the PI Data Archive, PI 2018 SP3 Patch 1. This patch is a security update to fix a few issues, but it also brings one key difference in how PI services run on the Data Archive server.


The release notes state: "All subsystems are now running under Least Required Privileges"


This means that any PI services that used to run as Local System will now run under a much lower privilege account. Practically it means that interfaces that run on your PI Data Archive server - like PI Performance Equation Scheduler - now run as a different account and may not authenticate to your PI server the same way.


I encountered this with a test system where PI Performance Equation Scheduler would not start, failing to connect with the dreaded "No Trust" error:

New Pinet 1 connection: PipeE No Trust established for: machinename||PipeE. Explicit login is required for access.


and issuing an Error -10400: pipt_nextptwsourcelong failed for point source UI_IF_INFO error.


A quick look at the Windows services shows that PI Performance Equation Scheduler is running as NT SERVICE\pipeschd now.


One fix is to add a trust to match the PipeE application name, and the PI Data Archive server's IP address, to map to an identity that has enough privilege.


I see this security fix as a positive change, but it can introduce little quirks like this. Please test before implementing new versions of PI!


EDIT: The reason why this wasn't working for this test system was because the "loopback trust" Proxy_127 that maps all connections from wasn't present on this test system.