7 Replies Latest reply on Dec 4, 2014 1:44 PM by mhalhead

    PI Security across domains

    ssinha39

      Hello,

       

      We have PI Server located in one domain and PI client on a different, we can connect our client to PI server using PI username and password, is it also possible to enable single sign on feature by any means, for example PI trust.

       

      When user tries to connect client to the server, the windows credentials are passed on to the PI server. Example domain/Username, IP, we tried creating trust for the domain/username and IP but still PI doesn't authenticates the user.

       

      Do we have any method by which cross domain user can access the server without PI username and password and just using single sign on?

       

      Thank You.

       

      Shashank

        • Re: PI Security across domains

          Hello Shashank,

           

          There are additional aspects to be taken into account. Different Data Access products offer different options to authenticate with PI. Based on your question, I assume you are referring to PI SDK based clients. There's a client side setting allowing you to enable and disable authentication methods and to specify their order. Please check with the PI SDK Utility -> menu "Connections" -> "Options" -> section "Specify Authentication Procedure" if "PI Trust" is enabled and in first place.

           

          Troubleshooting connection issues is the daily bread and butter of our colleagues from Technical Support. They will be happy to assist you in a remote session. Please let us know if you like to be contacted by an OSIsoft Technical Support representative.

            • Re: PI Security across domains
              mhalhead

              Hi Shashank,

               

              We are doing the exact same thing, All our PI and AF servers live on one domain (industrial) and the bulk of the users are on another (commercial). We have a trust we have a trust relationship between the two domain. The trust means that the security token can be passed between the domains. There are some SPN challenges. To over come this we typically use groups on the industrial domain which have the commercial domain accounts. This way the industrial DC's (Domain Controllers) do the authentication; the authorization is still handled via the PI products.

               

              If you can't use a trust you can make use of the Windows Credential manager. I've done this on Win7+. The one issue is that the users need an industrial domain account.

               

              My recommendation is to go the trust route. We've had very few issues once this is setup correctly. Unfortunately the two domain admins have to do communicate,

                • Re: PI Security across domains
                  ssinha39

                  Hi Michael,

                   

                  Thanks for the idea. Can you please give me more detail on how to connect to PI Server using windows credential manager. I can easily connect to AF Server using my industrial domain account. I want to check if i can connect AboutPI-SDK using credential manager.

                   

                  Regards,

                   

                  Shashank

                    • Re: PI Security across domains
                      mhalhead

                      Hi Shashank,

                       

                      With the Windows credential manager you simply add an entry for the PI server (fully qualified) and if necessary the AF server. The AF SDK will normally prompt the user for credentials but the PI SDK doesn't; using the credential manager overcomes this issue.

                       

                      I would stress that using the Windows Credential Manager is a hack which is fine for a relatively small group of users. It isn't a maintainable solution for an entire enterprise. I should also mention that a number of enterprises disable the credential manager via AD policies. They actually do this for a "good" reason; if someone has a stale credential (i.e. password has changed) the Credential Manager can cause the account to get locked out repeatedly and it is very difficult to diagnose.

                       

                      The screenshot below shows a dummy entry, similar to what I've used previously. You could also use the Generic Credentials if you have multiple servers.

                       

                       

                       

                      1385.c.png

                        • Re: PI Security across domains
                          Tony Fenn

                          Michael

                           

                          Thank you for the Windows Credential idea. I have been trying to solve a cross domain connection to AF for several days without success and this worked.

                           

                          My application is a web server using AF SDK and IIS.  I could not get it to pass the user credentials via code although all seemed to work fine to connect and read/write AF with the same credentials used with Process Explorer.

                           

                          You mentioned that Windows credentials is a 'hack' and earlier that trusts should be set up.  Could you possibly post an example or screenshot of a cross domain trust configuration or point me to documentation on how to do this.

                           

                          Thanks in advance - Tony

                            • Re: PI Security across domains
                              Marcos Vainer Loeff

                              Hi Tony,

                               

                              You need to have access to both domain controllers (each one from a different domain/forest) in order to set up a domain/forest trusts. There are a lot of different options to make this trusts so please make sure you choose the most appropriate to you.  The "Active Directory Domains and Trusts" is used to set up this trusts. Please refer to this video on youtube that shows how to create one.

                               

                              Anyway, it is worth checking if your IT department can help you to complete this task.

                                • Re: PI Security across domains
                                  mhalhead

                                  Hi Tony,

                                   

                                  As Marcos correctly pointed out the trust I was referring to as an AD trust; not PI. To be honest I would have to talk to one of my domain admins to get the details. If you have the AD trusts then you don't need the Windows Credential manager.

                                   

                                  For your scenario I would not recommend the Credential Manager. I would recommend one of the following:

                                   

                                  • Setup the AD trusts and use Kerberos authentication. This will require that you configure an SPN and allow delegation on the IIS pool account (read the Coresight documentation regarding SPNs as it is the same thing). The reason that the SPN is required is that the user will authenticate to the web app, the web app then has to pass the authentication to the AF and PI servers.
                                  • Alternatively (if you AD admin's aren't playing ball, or like me find SPNs a pain) you can get the web app to authenticate by passing a .Net network credentials object in the AF connection method (PISystem.Connect(NetworkCredential credential) - see the AF SDK help). You can then use the AF Security object/class to determine the rights of the user on AF (the AF SDK help has quite a nice example on this). I honestly don't know how well this will scale, I've done it before with no noticeable performance impact. The recommended root is however, Kerberos (above).