AVEVA MES 2023 - middleware proxy issue

Hi,
I have problems to call MES dll through an ASP.NET web app in my development scenario.
My development scenario has the middleware proxy installed to call middleware service host
My web app requires administrator privileges but due to policy restriction of my company removed these privileges of my personal account.
To launch my web app in admin mode I need to ask a temporary password of the .\administrator.
Starting from AVEVA MES 2023 there a new authentication that requires to have the user, that calls MES dll, to be present on the machine where the MES is installed with same password.
This is an issue for me because I cannot change .\administrator password every time I'm asking it.

My assumption about middleware proxy and host are correct?
Any suggestion how I can solve this issue?

Here you can find some slide to represent my situation

Aveva Development Architecture 1.pptx

Parents
  • Hi Lorenzo,

    Can I get some more information on your system please.

    What security mode are you using within the MES system?  The default is native security, but MES also supports OS User and OS Group.

    Are the two machines you mention joined to a domain or are these independent workstations in a Work group?

    Which of the MES APIs are you trying to use?  MES has a stateful, stateless, and Web API.  The stateful is what the MES Operator application uses and is designed for a single user sitting behind a keyboard.  The stateless is more flexible and allows for managing a server type application hosting multiple users.  The stateless API is the most complete of the APIs exposing nearly all possible functionality of the product.  The web API bypasses the MES MW Proxy and connects directly to the MES Middleware.  The web API requires OS User or OS Group security mode set in MES to function.  It also requires registration with AVEVA Identity Manager (AIM) to validate users.  Within the product is a utility to register your custom client application with a Client ID and client secret that can be used to call the MES Web API with a service to service token if the Web API is what you want to use.  The one limitation with this approach is that the user associated with the transactions in the MES database will be the user defined in the MES system parameter for the default background user.

    From your description, you are using a local account not a domain account to launch your web application.  Are you trying to use this user to login to MES through the stateful or stateless API?  Can this application be run by an AD user that is a part of the MES OS User or OS Group security?  Depending on which API and what security mode you are using, I can provide more details.

    Regards,

    Jeff Barkehanai

Reply
  • Hi Lorenzo,

    Can I get some more information on your system please.

    What security mode are you using within the MES system?  The default is native security, but MES also supports OS User and OS Group.

    Are the two machines you mention joined to a domain or are these independent workstations in a Work group?

    Which of the MES APIs are you trying to use?  MES has a stateful, stateless, and Web API.  The stateful is what the MES Operator application uses and is designed for a single user sitting behind a keyboard.  The stateless is more flexible and allows for managing a server type application hosting multiple users.  The stateless API is the most complete of the APIs exposing nearly all possible functionality of the product.  The web API bypasses the MES MW Proxy and connects directly to the MES Middleware.  The web API requires OS User or OS Group security mode set in MES to function.  It also requires registration with AVEVA Identity Manager (AIM) to validate users.  Within the product is a utility to register your custom client application with a Client ID and client secret that can be used to call the MES Web API with a service to service token if the Web API is what you want to use.  The one limitation with this approach is that the user associated with the transactions in the MES database will be the user defined in the MES system parameter for the default background user.

    From your description, you are using a local account not a domain account to launch your web application.  Are you trying to use this user to login to MES through the stateful or stateless API?  Can this application be run by an AD user that is a part of the MES OS User or OS Group security?  Depending on which API and what security mode you are using, I can provide more details.

    Regards,

    Jeff Barkehanai

Children
  • Hi Jeffrey,

    The security is native and the two machines are independent workstation in a work group. I'm using the stateless API and my application is launched by a local account.

    Regards,

    Lorenzo

  • Hi Lorenzo,

    Have you reached out to technical support for assistance in your configuration?  It will be easier than posting messages back and forth here.

    Overall, the MES system works best in an Active Directory environment.  When using workgroups, there are multiple additional steps for configuring the system.  These are described in the installation guide.  For example, the MES Middleware uses a virtual service account that is created during installation.  In workgroups mode, it is often necessary to change this to a local account and have the same local account on all the nodes running MES as well as on the database server.

    Once the communication and accounts are setup, it should not matter what local user launches your custom application.  Within the custom application, you would use the MES stateless API to create a session and login an MES native user to the sesssion.  This logged on user to MES will be recorded as the one making the various transactions in the MES database.  Any background transactions would be logged against the workgroup user associated with the MES MW service.

    Hope this helps,

    Jeff Barkehanai

  • Hi Jeffrey,

    I've already asked to the technical support but it didn't really help me. I'm trying to ask on every channel possible because with this issue I can't debug my code in my development scenario.

    Regards,

    Lorenzo