Error when connecting to PI server with impersonated identity

Discussion created by jpospisil on Sep 26, 2013
Latest reply on Sep 30, 2013 by jpospisil

I've got WCF web service (RESTful) hosted on IIS web server 5.1 running on .NET Framework 4.0.


The service is configured to use Windows Integrated Authentication and impersonate caller's identity.


  <compilation debug="true" targetFramework="4.0" />    
    <deny users="?" />    
  <authentication mode="Windows"/>    
  <identity impersonate="true"/>  


From .NET code I'm trying to connect to PI server running on the same machine using PI SDK under original caller's identity. The AD account is configured on PI server and mapped to PI identity.


I'm creating a new STA thread before issuing the call to PI SDK (C# code), because web service runs in MTA and the impersonation is lost when crossing apartment boundaries:


            PiServerThread threadStart = new PiServerThread(piServer, WindowsIdentity.GetCurrent());
            Thread newThread = new Thread(new ThreadStart(threadStart.Run));




 And this is how I'm openning connection to PI server and retrieving PI identity:


                WindowsImpersonationContext impersContext = windowsIdentity.Impersonate();
                windowsIdentityName = WindowsIdentity.GetCurrent().Name + "(" + WindowsIdentity.GetCurrent().ImpersonationLevel + "-" +
                    WindowsIdentity.GetCurrent().AuthenticationType + ")";


                PISDK.PISDK piSdk = new PISDK.PISDK();
                PISDK.Server piServer = piSdk.Servers[piServerName];
                piIdentities = piServer.CurrentUser;






The code works fine if executed from the same machine where IIS and PI server are running. The WindowsIdentity has:
- ImpersonationLevel set to Impersonation
- AuthenticationType set to Kerberos (or NTLM, when executing with local user, not domain)




However, if the clinet is on a diferrent machine within the same AD domain, I get an error when opening connection to PI server:


Unable to open a session on a server. [-10733] PINET: RPC Resolver is Off-Line


In this case WindowsIdentity that I've impersonated looks different, it has:
- ImpersonationLevel set to Delegation
- AuthenticationType set to Kerberos


It seems like I cannot connect to PI server when Impersonation level is Delegation rather that Impersonation. Delegation is in my opinion expected, since the call is from remote machine.


Any help would be appreciated.


Thank you.