Hello all,

Pi vision server connects to multiple data archives (no issue), however when it comes to connecting to asset server (AF), pi vision connects to 2 out of the 3 asset servers.

Navigating to PI vision admin page, when I click on the 'Test Connection' button, nothing happens, and the button displays a red 'X' instead of the green tick.

Also, from the pi vision server if we open Pi Sys. Exp, or AF, we can see the AF database of the other machine, so connection is established. We believe it's a security issue from pi vision side?

Any help is appreciated (refer to attached images. Both are from the pi vision server)

Cheers

Parents

0 Rimon over 1 year ago

Hello (Missing Content) The user has been mapped already, and I double checked - it is mapped as an "Administrator" on the AF server's machine.
MainelyInnovations I'm not familiar with what a delegation is. Also, how do I see the event logs? I'd be interested in viewing these.

Thanks everyone!
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 MainelyInnovations over 1 year ago in reply to Rimon

I hadn't looked at the App Pool user in the second image. As (Missing Content) mentioned, the IIS App Pool is running as Network Service. If you've verified that the App Pool for the Admin, Service, and Utility pools are running under the correct domain account, then restart the services and check that admin page again.

If the user running the App Pools is indeed Network Service, then change it to a proper domain account and ensure SPNs & Kerberos delegation are configured correctly.

App Pool location in IIS (you'll see mine are running as AD\SVC-PI-WEB$):

Here's information on setting up the SPNs & Kerberos delegation (note, this is for standard service accounts. I recommend gMSAs which requires a different procedure, but the AD team should be able to handle the task for you). Enable Kerberos delegation when AVEVA PI Vision uses a custom domain account
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 MainelyInnovations over 1 year ago in reply to Rimon

I hadn't looked at the App Pool user in the second image. As (Missing Content) mentioned, the IIS App Pool is running as Network Service. If you've verified that the App Pool for the Admin, Service, and Utility pools are running under the correct domain account, then restart the services and check that admin page again.

If the user running the App Pools is indeed Network Service, then change it to a proper domain account and ensure SPNs & Kerberos delegation are configured correctly.

App Pool location in IIS (you'll see mine are running as AD\SVC-PI-WEB$):

Here's information on setting up the SPNs & Kerberos delegation (note, this is for standard service accounts. I recommend gMSAs which requires a different procedure, but the AD team should be able to handle the task for you). Enable Kerberos delegation when AVEVA PI Vision uses a custom domain account
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data