Trust Connections

With the release of the PI3 Server, version 3.3, a new type of connection authorization is possible. The Server contains a Trust table that stores information regarding machines, users, and applications and using this information can automatically grant Server access to PI-SDK applications as certain PI users.  This allows unattended applications to connect with significant privileges, controlled by the Server administrator.  The Trust mechanism is flexible and allows a wide range of options for providing secure yet convenient connections.  The feature can take advantage of the existing security in a Microsoft network, allowing a user who has successfully provided credentials to the domain to be automatically given access to PI as a particular PI user.  Details of configuring Trust relationships are provided in the PI-UDS documentation. 

 

Trust connections are first available with the 1.1 release of the PI-SDK . In versions of the PI-SDK through 1.3.5, to invoke a trust login, you need to only call Server.Open without specifying a UID (user name) in the connection string.  The PI-SDK , when it sees this call, will first attempt a trust login.  If trusts are supported on the server and a trust corresponding to the current situation (logged in O/S user, machine, application) has been configured on the Server, the trust connection is granted.  If trusts are not supported on the server or there is no appropriate trust configured for this situation, the trust login fails and the PI-SDK then tries a connection using the Default User configured in the Known Servers Table as in earlier versions of the PI-SDK .  This algorithm results in the PI-SDK providing identical default login behavior across versions until a Server administrator explicitly configures trust relationships to change the behavior. 

 

Starting with version 1.3.6, the PI-SDK provides local configuration of the desired implicit connection methods.  The implicit connection behavior, described above, of trying a trust then trying a default user login is now at the discretion of the local user and/or the application.  By using the IPISDKOptions interface, supported by the PISDK object, the available implicit authentication methods can be queried and the desired methods and order of attempt can be set.  This can be done dynamically in an application or can be persisted so other SDK applications pick up this behavior by default.  Access to these settings is also now available in the PI-SDK Controls and dialogs, connection manager dialog under the menu items Tools | Options.  As this dialog is used in many applications as well as the PISDKUtilty application delivered with the PI-SDK, the ability to configure implicit connection behavior is widely available.  The new Tools | Options dialog is displayed below.  Using the items in the bottom group box the implicit authentication options can be added, removed, and reordered.  The item displayed as “SSPI” is discussed next under "Windows Integrated Authentication".

 

 

Trust connections are designed primarily to provide authentication to unattended applications, such as interfaces, but have a side benefit of offering a configuration option where logged-in domain users can be granted secure PI access to client applications without explicitly logging into the PI System after logging on to the O/S. 

With server version 3.4.380 and beyond, this ability to automatically grant PI access based on an authenticated Windows user is significantly enhanced. 

Prior to 3.4.380, to base PI connection credentials on a Windows login one needed to either build a specific trust for each Windows user principal (typically specifying a domain and an OS user and the associated PI user) or use the “$,$” trust which gave authenticated domain users access to a PI user of the same name (requiring the adding of PI users for each trusted domain user but only one  trust).

 The association between authenticated Windows users and implicit PI authentication available with PI3.4.380 and beyond is described below under "Windows Integrated Authentication (SSPI)"

Enabling Operational Intelligence