11 Replies Latest reply on Dec 13, 2013 4:25 PM by cmanhard

    AF.PI Connection

    francisbeliveau

      Hi,

       

      I'm currently developing a Windows service which connects to PI using OSIsoft.AF.PI.PIServer.Connect(). The "Log On As" option of our service is set to a Windows account trusted by AF. This setup works perfectly.

       

      The disadvantage of this setup is every time we reinstall our application we have to set again the option "Log On As" and we would like to avoid this supplementary step in the installation process. So, I tried to use OSIsoft.AF.PI.PIServer.Connect(NetworkCredential) where the network credential contains the same settings (domain , user, password) as the "Log On As" options. Unfortunately, I receive a PI exception every time saying  "Insufficient privilege to access PI Server". 

       

      I don't understand why the second way doesn't work.

       

      Could someone enlighten me about this issue?

       

      Thanks!

        • Re: AF.PI Connection
          Lonnie Bowling

          Hi Francis,

           

          I have had the same issue, are you trying to log-on to a server that is part of the same domain as the client? In my situation I am trying to connect to a PI server on a work group and was planning to open a support call but I have not had time. Are you seeing anything in the PI server logs where it tried to authenticate but faile? If I get an answer to my problem I will post here. Right now I think there is a problem with the SDK when passing Network Credentials using the new AF.PI namespace.

           

          Lonnie

            • Re: AF.PI Connection
              francisbeliveau

              Hi Lonnie,

               

              Well I'm in the same situation as you. Internally, our PI server is located on a workgroup machine. I didn't have the time to dig in the server log but it is something I would do as soon as I can.

               

              Thanks for the info.

                • Re: AF.PI Connection
                  David Hearn

                  Francis, is the PIServer on the local machine as your service? If it is local, you may have an issue with UAC and not being an elevated user. It would be useful to know how you have your trust setup.

                   

                  Lonnie, you may have an issue with the 'Sharing and security model for local accounts' in the Local Security Policy setting. By default it will be 'Guest only' for a stand-alone computer.

                    • Re: AF.PI Connection
                      francisbeliveau

                      My service runs on my dev machine and this machine is in the business domain.

                       

                      The PI server is running in a virtual machine located on a server running a bunch of virtual machines with Hyper-V. All these virtual machines are in workgroup.

                       

                      On the virtual machine running PI, I created an user account matching my user name and password on the business domain.  The setup works for everything (service log on as me, PI System Explorer, etc.) except when I try to connect via OSIsoft.AF.PI.PIServer.Connect(NetworkCredential).

                       

                      For the trust setup:

                       

                      The user account matching my user in the business domain is added in the Mappings & trusts section under PI Identity: piadmin. The security settings is at the minimum which is Disable blank passwords

                        • Re: AF.PI Connection
                          Marcos Vainer Loeff

                          Hi Francis,

                           

                          If you take a look on the manual you will find the following description for the  Connect(NetworkCredential) method:

                           

                          “Open a connection to the PI Data Archive using the specified PI User credentials to allow sending and retrieving data.”

                           

                          Therefore, NetworkCredential should be used to authenticate a PI User and not with a domain account. I have tested it on my development environment.

                           

                          Let me find the proper way to connect using your domain credentials.

                            • Re: AF.PI Connection
                              David Hearn

                              The ability to specify a domain account when connecting to a PI Server using NetworkCredentials was added in the upcoming 2.6 release and is available in the beta release. In the 2.5 release, only PI User credentials are allowed.

                               

                              If you are running on the same domain, you can change your code to impersonate the specified account on your current thread before calling the OSIsoft.AF.PI.PIServer.Connect() method without specifying network credentials. The following article shows an example of how to use Windows Impersonation:  http://www.codeproject.com/Articles/4051/Windows-Impersonation-using-C.

                               

                               

                                • Re: AF.PI Connection
                                  francisbeliveau

                                  Thanks Marcos and David for the information. I'll take a look at it.

                                   

                                  Just to inform you, I installed the PI Asset Framework (PI AF) Client 2012 SP2 recently  (msi version 2.5.0.151) and in the SDK documentation (AF SDK Programming Reference.chm), the description for Connect(NetworkCredential) method is :

                                   

                                  "Open a connection to the PI Data Archive using the specified credentials to allow sending and retrieving data." which do not mention PI User credentials.

                                    • Re: AF.PI Connection
                                      David Hearn

                                      The SDK documentation was updated for the 2.6 release to be specific as to the type of credentials that are expected for the Connect method and a new Connect method was added which allows you to specify the Windows credentials.

                                        • Re: AF.PI Connection
                                          Lonnie Bowling

                                          Just to be clear, in version 2.5 you cannot use windows domain credentials to authenticate when using the AF.PI namespace, but in 2.6 you will be able to? This is actually a pretty big limitation as most systems I work on use windows security. PI security is considered deprecated, at least for user access. I'm glad to hear that 2.6 will have the added functionality.

                                           

                                          Lonnie

                                            • Re: AF.PI Connection
                                              Marcos Vainer Loeff

                                              Hi Lonnie,

                                               

                                              Yes, this feature will be available in version 2.6. I have tested on my VM using the following code snippet:

                                               

                                              PIServers myPIServers = new PIServers();
                                              PIServer myPIServer = myPIServers["MARC-PI2014"];
                                              System.Net.NetworkCredential myCredentials = new System.Net.NetworkCredential("username","password","domain");
                                              myPIServer.Connect(myCredentials, PIAuthenticationMode.WindowsAuthentication);
                                              Console.Writeline(myPIServer.CurrentUserName);
                                              
                                              
                                              

                                              Just download the beta version and try it!

                                               

                                              Hope this helps!!

                                                • Re: AF.PI Connection
                                                  cmanhard

                                                  Lonnie, Perhaps you are misunderstanding.  In AF 2.5, you certainly can authenticate with your windows credentials if you are logged in with your windows credentials.  To date, PI has never allowed passing explicit windows credentials to the connect - you always needed to use the credentials of your thread - this is true for PI SDK as well.  The preferred mechanism to provide your credentials is to logon in and impersonate on the thread making the connection with the specific credentials, then using the normal connect() method.  An alternate method is to use the Windows Credential Manager to have your credentials auto-applied to the connection by Windows.  The method being implemented in 2.6 is there to handle the scenario when the two options above don't work, either because you are not on a trusted domain where you can logon, or, you are running as a computer account where access to the credential manager is not available.