Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Server Installation and Configuration (PI Server 2018)

TABLE OF CONTENTS

PI AF and Kerberos delegation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedOct 02, 2024
  • 2 minute read

Kerberos delegation is the process by which a service on one machine passes a client's credentials to a service on another machine. This process is often referred to as a Kerberos Double Hop. (For general introduction to Kerberos, see the Kerberos Authentication Overview section.) PI AF supports the use of both Kerberos General Delegation and Kerberos Constrained Delegation.

  • General delegation

    Allows an application or service on one machine to access an application or service on another machine using the client's credentials.

  • Constrained delegation

    Allows an application or service on one machine to access a pre-defined list of one or more applications or services on another machine using the client's credentials.

    Note: We recommend the use of Kerberos constrained delegation rather than Kerberos general delegation, because constrained delegation is more secure. For further information, you can refer to the following articles:

Delegation Examples

In the case of PI AF, a service, such as a web portal utilizing the AF SDK, may need to allow the remote client's credentials (via a Kerberos ticket) to be passed on to the PI AF Application Service or PI AF. Furthermore, the PI AF Application Service may also need permission to pass the user's credentials to a remote database or active directory service.

  • Delegation example one

    An AF SDK service hosted on a web portal needs to allow a remote client’s credentials to be passed to the PI AF Application Service, allowing the client user to access data on the PI AF server.

    Rita, a PI AF Client user, does have permission to access data in a PI AF Server.

    1. Rita logs on to the machine hosting a custom PI AF client, in order to view data stored in the PI AF Server database.

    2. The PI AF client machine passes Rita’s credentials to an AF SDK service on the web portal.

    3. The AF SDK service then passes Rita’s credentials to the PI AF Application Service.

    4. The PI AF data is then made available to Rita on the PI AF client machine.

  • Delegation example two

    Another example, is when the PI AF Application Service needs to pass the user’s credentials to a remote database.

    Rita, a PI AF Client user, has permission to access data stored in a table in a remote SQL Server database.

    1. In PI System Explorer, Rita creates an AF Table Connection object that includes the “Impersonate Client” Security option and that defines how to connect to the SQL Server database.

    2. She creates an AF Table object that uses the AF Table Connection definition and includes a valid Query.

    3. Rita then links the AF Table to a table in a SQL Server that she has permission to access (or some other external data source).

    4. If the PI AF server’s service account has been correctly configured for delegation, when Rita connects to the linked AF Table, the PI AF server authenticates the PI System Explorer user via Kerberos delegation, and retrieves the data from the table in the external SQL Server using the user’s delegated credentials.

TitleResults for “How to create a CRG?”Also Available in