Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

PI SQL Data Access Server (PI Integrators)

Checklist for troubleshooting a trusted connection in a double-hop scenario

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Checklist for troubleshooting a trusted connection in a double-hop scenario

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedFeb 27, 2023
  • 1 minute read

Verify the following points to troubleshoot a trusted connection:

  • PI SQL DAS (PI Integrators) runs as a service and uses the virtual service account, a managed service account, or a standard domain user account.

  • If you use a virtual service account: The PI SQL DAS machine account that is delegating the credentials is trusted for delegation. Alternatively, Resource Based Constrained Delegation is configured on each back-end data source.

  • In case of a managed service or a standard domain user account verify that it is trusted for the delegation.

  • In Active Directory, the Account is sensitive and cannot be delegated check box is cleared for users who access the application.

  • The time stamp on the authenticator does not differ by more than five minutes from the time stamp of the server.

  • TCP/UDP port 88 is not blocked by a firewall or a router. By default, Kerberos authentication uses TCP/UDP port 88.

  • The HOST SPN is registered for the machine account (by default) or HTTP SPN is registered for the managed service account or standard domain user account (register manually).

  • You can check the existing set of SPNs for the machine, managed service, or standard domain user account by running the following command:

    Setspn.exe -L <myServer-NetBIOS-name>

    Setspn.exe -L <mydomain\myuser>

Related Links
TitleResults for “How to create a CRG?”Also Available in