Submitting your feedback...
Knowledge Base Article
KB00864 - How to determine the credentials for a PI Trust
Product: PI Interfaces / PI Data Archive
Version(s): 3.3 and later

(December 2016) This article mentions PI trusts, now superseded by more secure forms of authentication. AL00309 discusses the move from PI trusts to Windows Integrated Security (WIS) for PI API.


Interface machines connect to the PI Server via PI API and PI SDK.  To create trusts based on the connecting application name, you must determine the credentials sent to the PI Server when the interface connects.  This KB outlines how to determine which credentials are passed.


To determine what credentials the PI API passes

  1. Run a command prompt session on the client/interface node.
  2. Change to the %PIHOME%\bin\ directory.
  3. Type the following command, substituting HostName with the hostname of your PI Server, then press Enter:
apisnap HostName
  1. Look at the PI Server message log. You should see a message similar to the following:
0 pinetmgr 28-Jan-06 16:10:25 >> New Pinet 1 connection: snapE No Trust established for:||snapE using default login.

From this information, you can see the IP address (in this case with NetMask of, application name "snapE," and hostname ""  From this information, a PI Trust can be created.  A message showing a successful connection using a PI Trust would look like this:

Successful login ID: 70. Address: Host: . Name: snapE. User: piadmin. OSUser: . Trust: InterfaceTrust

In the event that Network Address Translation takes place between the interface and PI Server, the translated address must be known.  In addition, if your interface node has multiple NICs that would be able to communicate with the PI Server on the network, you must set up a trust for each IP address, even if you just see the connection with one.

If you see "Hostname: Unknown" instead of a computer name, the hostname is not being resolved by the DNS. Another reason you may see "Unknown" is if you have intentionally disabled the "ReverseNameLookupFlag" tuning parameter.  You can check the status of this flag in PI System Management Tools (PI SMT) under Operation > Tuning Parameters > Net Manager tab.  A setting of "1" means that it is enabled; a setting of "0" means it is disabled.  If reverse-name lookup cannot be enabled in your environment, you can add a hosts file on the local computer that contains the fully qualified name of the client to it to resolve this problem.

  1. Exit apisnap by pressing Enter when prompted for a tag name.

To determine what credentials the PI SDK passes

  1. Open a command window on the client/interface node.
  2. Change to the %PIHOME%\adm directory (this is where it is installed by default).
  3. Type pidiag -host and press Enter.  You will see the following:

C:\PI\adm>pidiag -host
Domain   <OSI>
Machine  <apollo>
User     <jdoe>
IP Addr  <>
FQDN     <> additional information

  • The Domain is name of your Domain.
  • The Machine is the simple hostname (i.e., "apollo"), which is the only hostname passed by PI SDK 1.3.3 and earlier.
  • The User is the Domain user name (not to be confused with the PI User).
  • The IP Addr is the IP Address.
  • The FQDN is included when running PI SDK 1.3.4 and later, and stands for the fully qualified domain name, which is the same thing as fully qualified hostname (for example, ""). If using PI SDK 1.3.4 or later, you no longer have to use the simple hostname in your trust connections. Fully qualified host names are also required for PI Collectives.

Other ways to find trust credentials

  • Start the interface and use the PI System Manager Tools (PI SMT 3.x) Network Manager Statistics plug-in to see what the interface connection is presenting (look at name, peername, peeraddress). This only works if the connection is successful.  The following screenshot shows an example of the credentials passed:

st-widget-{image: NetMgrStats.png}

See KB00600 - How to read the Network Manager Statistics table for more information.

  • Run a remote pigetmsg session to see the trust credentials being passed.  The PI Server message logs shows attempted connections (successful or not) and their credentials:
0 pinetmgr 27-Feb-06 09:05:42

 >> Access Denied: [-10413] No trust relation for this request ID: 36. Address: Host: Name: PIToE

The remote pigetsmg session will only connect successfully if a trust is already configured.  However, since the PI Server will also log unsuccessful connections, attempt to connect remotely, then go to the PI Server to view the logs to find the credentials passed.  Use this information to create a PI Trust.

To run the remote pigetmsg session, do the following:
  1. Run a command prompt session on the client/interface node.
  2. Change to the %PIHOME%\adm\ directory.
  3. Type the following command, and press Enter:
pigetmsg -f -node [node] -trust
  1. Leave this window open to view the PI API and PI SDK connections as they occur.
Article ID: KB00864 Created: 2013-09-03
Article Type: How-To Last Updated: 2016-12-21