Configure PI AF for Kerberos delegation

We recommend that you use Kerberos constrained delegation rather than general delegation, because constrained delegation is more secure. The information provided in this section describes the requirements for general delegation and constrained delegation.

Follow this procedure to support Kerberos delegation.

Note: If your PI AF application service and/or SQL Server service are running under the local Network Service account, or a Virtual Account for the Network Service (such as those used by default in SQL Server or the default account used for the PI AF application service), you can skip steps 1 and 2. The domain administrator generally manages the settings configured in steps 1 and 2.

1. Ensure the Read servicePrincipalName and Write servicePrincipalName permissions are assigned to the following Active Directory objects, which allows the SPNs to be automatically managed.

   • Domain account under which the PI AF application service runs.

   • Domain account under which the SQL Server service runs, assuming the linked PI AF Table is a SQL Server table.

2. Ensure the required SPNs are created for the following objects:

   • SPNs may need to be manually registered for the PI AF application service, IF you did not assign the Read servicePrincipalName and Write servicePrincipalName permissions to the PI AF application service's domain account as described in the previous step.

   • SPNs may need to be manually registered for the SQL Server service, IF the PI AF Table is linked to a SQL Server table and IF the Read servicePrincipalName and Write servicePrincipalName permissions were not assigned to the SQL Server service’s account as described in the previous step.

     See Register SPNs for the PI AF Application Service.

3. Configure the appropriate Active Directory objects as trusted for constrained delegation. The Active Directory objects that need to be configured are determined based on your specific use case.

   • Delegate Remote Client's Identity to the PI AF server

     To allow a service to delegate a remote client's identity to an PI AF server, any service attempting to perform the delegation must be configured for delegation.

• Access Data referenced in a linked PI AF Table object that uses impersonation

  In order to allow the PI AF application service to access data on a remote server that is referenced in a linked PI AF Table object that uses impersonation, you must configure for delegation the account under which the PI AF application service runs.

By default, the PI AF application service runs under a local network account (the Virtual Service account or the Network Service account), which is the same as the machine account. This means the machine account needs to be configured as trusted for delegation. However, if the PI AF application service runs under a domain account, the that domain account needs to be configured as trusted for delegation.

• Access linked PI AF Table data using impersonation that itself is remote from the external source, such as a SQL Server linked table

  For example, a linked PI AF Table that is configured to use impersonation references data in a SQL Server database on MachineA, but that data includes a link to data in another SQL Server database on MachineB. You must configure the account under which the PI AF application service runs, as well as the account under which the SQL Server service runs that is referenced by the linked PI AF Table that is configured to use impersonation.

  See Configure Active Directory objects for delegation.