Authentication options that are most secure
- Last UpdatedOct 04, 2024
- 1 minute read
- PI System
- PI Server 2018
- PI Server
The most secure method for authenticating a user or application on the Data Archive server is Windows Active Directory (AD) authentication. We recommend you use this method wherever possible.
AVEVA does not recommend using PI trusts or explicit logins for authentication. For a more secure environment, AVEVA recommends Windows Integrated Security.
Note: PI API 2016 for Windows Integrated Security extends Windows authentication to API-based client applications. If you choose to install PI API 2016 for Windows Integrated Security, you can use only Windows Integrated Security for authentication. Both trusts and explicit logins will fail.
Authentication methods are listed in order, from most secure to least secure:
-
AD Authentication (Kerberos)
-
Local Windows authentication (NTLM)
-
PI Trusts
When you define a PI trust, you can choose how secure the trust will be. You can create PI trusts for API connections or for SDK connections. However, since the SDK supports Windows authentication, you should not create PI trusts for SDK connections.
-
Data Archive User Accounts and Passwords (explicit logins)
Local Data Archive user accounts are the least secure way to authenticate on the Data Archive server. We do not recommend using this method.