Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2024 R2)

Security configuration for the PI AF Application Service account

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Security configuration for the PI AF Application Service account

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedNov 13, 2025
  • 2 minute read

You use the PI Server install kit to configure an account that grants the PI AF Application Service the required permissions for the PI AF SQL Server database server. The default configuration sets up the Application Service to run under a virtual account, NT SERVICE\AFService, on the PI AF server computer.

Authentication for cloud database platforms

For authentication guidelines for supported cloud database platforms, see User roles and permissions for cloud database platforms.

SQL Server authentication

If the PI AF Application Service and PI AF SQL Server database computers are located in different domains, and a trust does not exist between those domains, the default configuration described above does not work. You must use SQL Server authentication to enable communication between the computers, as described in When to use SQL Server authentication with PI AF server.

Security configuration in PI AF 2.7 and later

Starting with PI AF 2.7, the PI AF Application Service is installed, by default, to run under a virtual account, NT SERVICE\AFService. We recommend different approaches to security configuration for the PI AF Application Service, depending on the installation scenario.

  • When the PI AF Application Service and PI AF SQL Server database are installed on the same machine, the use of the new virtual account eliminates the security concerns that exist with the use of NetworkService. For this installation scenario, therefore, we recommend that you use the virtual account, NT SERVICE\AFService. When you select the virtual account during the installation, the account is automatically added to the local AFServers group. If you later decide to run the PI AF Application Service under a domain account, we recommend that you leave the virtual account, NT Service\AFService, in the local AFServers group. You do not have to add the domain account to the local AFServers group.

  • When the PI AF Application Service and PI AF SQL Server database are installed on separate machines, we recommend that you run the PI AF Application Service under a domain account. The virtual account is local to the PI AF Application Service machine only. The use of a domain account for the PI AF Application Service provides the most secure method for protecting your PI AF and SQL servers. You must add the machine account for the PI AF Application Service machine and the domain account under which the PI AF Application Service runs to the AFServers local group on the PI AF SQL Server database server machine.

Security configuration prior to PI AF 2.7

Prior to PI AF 2.7, the PI AF Application Service was configured to run under the NetworkService account. In some releases prior to PI AF 2.7, the PI AF Application Service installation also configured access for the NetworkService account to the PIFD database on the PI AF SQL Server database server. This meant that any local process running under the NetworkService account had the same privileges to the PIFD database on the PI AF SQL Server database server. For releases prior to PI AF 2.7, we therefore recommend that the PI AF Application Service be run under a domain account.

In This Topic
TitleResults for “How to create a CRG?”Also Available in