Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

Buffering and High Availability

TABLE OF CONTENTS

PI Buffer Subsystem and service logon accounts

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedJan 13, 2023
  • 2 minute read

To maximize security, we recommend configuring PI Buffer Subsystem to log on as a dedicated domain user account or managed service account.

For a dedicated domain user account, see Operating system permissions for buffering. If your site does not have a domain but you want to use Windows authentication, see Best practices for buffering security for more information.

A managed service account can be thought of as a combination of a domain user account and a domain computer account. It has all the benefits of a domain user account, but you don't have to manage the password like you would for a domain user account.

Domain User Account

To maximize security, set up the PI Buffer Subsystem service to run using a domain user account. The advantage of this approach is that you can configure a user account specifically for the PI Buffer Subsystem service and configure a PI mapping or a PI trust specifically for that user account. This provides added security and flexibility compared to using the Local System account. The disadvantage is this approach requires setting up and maintaining a more complex security configuration.

Note: When the domain user's password changes, use the Microsoft Windows Services snap-in to update the password for the PI Buffer Subsystem service on each buffered node.

Virtual Account

By default, the PI Buffer Subsystem runs as a Windows Service using the a Virtual Account "NT Service\pibufss." The advantage of using a Virtual Account is that there is no password management required. The disadvantage is that it is less secure if Data Archive is configured to authenticate PI Buffer Subsystem using Windows authentication. When used with Windows authentication, this configuration allows any account that takes on the computer's identity (for example, Local System) to write to Data Archive.

Note: Depending on the versions of Data Archive and PI Buffer Subsystem you are using, you may need to map the PI identity associated with buffering to each computer that runs PI Buffer Subsystem. For details, see Map a PI identity to a buffered computer.

In This Topic
TitleResults for “How to create a CRG?”Also Available in