3 Replies Latest reply on Jul 27, 2013 1:19 AM by acote

    Notification Service across domains

    acote

      Hello vCampus,

       

      I am integrating a PI Notification component for a customer and it seems I can't workaround the following error by myself:

       

      - My customer AF Server is under Domain A, the notification scheduler service runs with LocalSystem account. I got mapping for Domain A / User A to piadmin.

       

      - My development Machine is under Domain B / User B and the notification scheduler service runs with LocalSystem account. I run the AF Client  with Domain A / User A. When trying to reach the Notification Settings / Service tab, it indicate: A Call to SSPI failed, see inner exception. Which clearly indicate a Windows Integrated Security issue. The thing is that I can't run the notif scheduler service under Domain A / User A because the domain is unknown from B.

       

      What's the required configuration for allowing my development machine A to take over the notification scheduler service from B?

       

      Using PI/AF Server 2012, Notification 2012

       

      Thanks

       

      Alex

        • Re: Notification Service across domains

          Hello Alexandre,

           

          Just to be clear, the issue that you are facing is a Windows Security issue that manifests with PI Notifications because PI Notifications relies on Windows Security.

           

          I am not an expert on Windows security but to my understanding Domian A would have to trust Domian B to allow authentication. I assume that this is not considered a valid approach in your case. It usually works to overcome Windows Security issues in cross-domain environments by using local user accounts that have the same username and password on all nodes involved. I've never tried if using a domain user account on one end and a local user account on the other end works and hesitate suggesting this.

           

          Likely the best approach from my point of view would be using a machine within Domain A as development machine.

            • Re: Notification Service across domains
              mhamel

              @Alexandre: PI Notifications utilizes the PI AF Server to perform an Active Directory query using the LDAP protocol. This leverages the DirectorySearcher class to search for contacts. The DirectorySearcher object is instantiated with a URI formed with a specific domain and some organisational units (OU) to search from or an entire forest (GC) and some OUs to be more specific.

               

              AFAIK, there is no way to configure the PI AF Server to query domains outside the forest from now. Could you explain more why you need both domains not being part of the same forest?

                • Re: Notification Service across domains
                  acote

                  Hi guys,

                   

                  Thanks for your answers on this matter. Indeed this not a scenario that must be frequent across the users. However, as integrator, we frequently have to connect to client domains from our own.

                   

                  @Mathieu: the purpose was to enable remote debugging on the PI Notification Scheduler service for stepping through my custom delivery channel code. I finally installed VS2010 and my project on a machine in the client domain, which solved the problem.

                   

                  Regards,

                   

                  Alex