Steve Boyko

PI Performance Equation Difference in PI 2018 SP3 Patch 1

Discussion created by Steve Boyko Champion on Apr 17, 2020
Latest reply on Apr 20, 2020 by afink

I wanted to highlight one key difference in the latest version of the PI Data Archive, PI 2018 SP3 Patch 1. This patch is a security update to fix a few issues, but it also brings one key difference in how PI services run on the Data Archive server.

 

The release notes state: "All subsystems are now running under Least Required Privileges"

 

This means that any PI services that used to run as Local System will now run under a much lower privilege account. Practically it means that interfaces that run on your PI Data Archive server - like PI Performance Equation Scheduler - now run as a different account and may not authenticate to your PI server the same way.

 

I encountered this with a test system where PI Performance Equation Scheduler would not start, failing to connect with the dreaded "No Trust" error:

New Pinet 1 connection: PipeE No Trust established for: machinename|127.0.0.1|PipeE. Explicit login is required for access.

 

and issuing an Error -10400: pipt_nextptwsourcelong failed for point source UI_IF_INFO error.

 

A quick look at the Windows services shows that PI Performance Equation Scheduler is running as NT SERVICE\pipeschd now.

 

One fix is to add a trust to match the PipeE application name, and the PI Data Archive server's IP address, to map to an identity that has enough privilege.

 

I see this security fix as a positive change, but it can introduce little quirks like this. Please test before implementing new versions of PI!

 

EDIT: The reason why this wasn't working for this test system was because the "loopback trust" Proxy_127 that maps all connections from 127.0.0.1 wasn't present on this test system.

Outcomes