Windows security

AVEVA Adapter for Structured Data Files supports the following authentication methods for PI Server.

Kerberos

Kerberos provides per-user security that is native to Windows and Active Directory and is supported with AVEVA adapters and some REST clients. Kerberos does not rely on credentials being transmitted across the wire, which makes it ideal for use with untrusted connections.

This adapter supports the use of different service accounts, such as gMSA or domain accounts to run the adapter. Use the Services.msc window to manually change the service account

If the AVEVA adapter is running with the default identity of "NT SERVICE\PIAdapter[AdapterName]", it is not necessary to configure Service Principal Names (SPNs) on the machine where the service is running. However, if the service identity is changed to a domain user account, the following SPNs must be configured and associated with that domain account:

• HTTP/hostname

• HTTP/fully.qualified.hostname

Basic

Basic authentication is defined in the HTTP Authentication: Basic and Digest Access Authentication document (https://www.ietf.org/rfc/rfc2617.txt) and is supported by AVEVA adapters and most REST clients (e.g., cURL and Postman). Basic authentication as implemented in the adapter is simple to use, provides granular, per-user security based on Windows identity, and can help avoid configuration problems related to Kerberos. When combined with SSL, Basic authentication is reasonably secure.

However, Basic authentication is less secure than Kerberos, since Windows user credentials, though encrypted, must be included and are transmitted with each request. In addition, Basic authentication requires that the adapter keeps the decrypted username and password in memory for the duration of the request. You should not use Basic authentication unless you are confident of the security of the server on which you are running the AVEVA adapter.