PI SQL DAS in a double-hop scenario

A double-hop scenario is a scenario in which a client application is on one computer, the middleware (PI SQL DAS) is on a second computer, and the resource that requires impersonated credentials (such as PI Server or PI AF Server) is stored on a third computer.

PI ODBC and PI SQL Client OLEDB use the Kerberos protocol for authentication to make this scenario work, but delegation must be enabled for PI SQL DAS. Because PI SQL DAS uses the virtual service account, you must enable delegation for the machine itself. The setting is done on the domain controller by a domain administrator.

Note: A double-hop can only occur if Trusted Connection (TRUSTED CONNECTION=YES) is specified for the client connection or a domain user account is provided. This is because the original authentication occurs on the client. If the driver is provided with a local user name and password, the information is sent to PI SQL DAS and authentication occurs there, which is one fewer hop.

If you use a managed service account or a standard domain user account to run PI SQL DAS, you need to enable the delegation for this particular account. Additionally, you need to associate the following service principal names (SPN) with the account:

• HTTP/computer name:port

• HTTP/computer fully qualified domain name:port

The association may be accomplished by using setspn command.

setspn -S HTTP/myserver:port mydomain\myserviceaccount$

setspn -S HTTP/myserver.mydomain.com:port mydomain\myserviceaccount$

If a domain account is used to run PI SQL DAS (PI Integrators), Kerberos authentication is currently supported for HTTPS trusted connection channel only. Net.Tcp connections will not work.