Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Vision™

Enable Kerberos delegation when AVEVA PI Vision uses a custom domain account

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Enable Kerberos delegation when AVEVA PI Vision uses a custom domain account

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedApr 02, 2025
  • 3 minute read

Note: This section doesn't apply if installing in an environment whose end users only use OpenID Connect authentication.

When AVEVA PI Vision uses a custom domain account, both application pools and Windows services associated with AVEVA PI Vision run as that account. To enable Kerberos delegation, you must configure the AVEVA PI Vision website to use the application-pool credentials, create necessary service principal names (SPNs), and configure the service account to support Kerberos, including enabling delegation to the needed Data Archive and PI AF servers.

Before you start, verify that you have the Validated Write to Service Principal Names privilege on the user or computer object in Active Directory. You need this privilege to create SPNs in this procedure. Contact your IT administrator if you have insufficient privileges.

  1. Configure the AVEVA PI Vision website to use the application-pool credentials:

    1. In Internet Information Services (IIS) Manager, select the PIVision site, and then under Management, double-click the Configuration Editor icon to open the Configuration Editor page.

    2. From the Section list, select system.webServer/security/authentication/windowsAuthentication.

    3. Set the useAppPoolCredentials property to True and click Apply.

    4. Open a command prompt and run the iisreset command.

  2. Create two Active Directory service principal names (SPNs):

    1. Open a command prompt.

    2. Use the setspn -U -S command to create an SPN for the netbios name and for the fully-qualified DNS name of the AVEVA PI Vision application server:

      setspn -U -S http/netbios-server-name domain\service-account
      setspn -U -S http/fully-qualified-DNS-name domain\service-account

      For example:

      setspn -U -S http/myserver mydomain\PIVisionService
      setspn -U -S http/myserver.mydomain.int mydomain\PIVisionService

      Note: If you point to your host with an A record (address record), register the SPN to the host rather than the server name. If you point to your host with a CNAME record (canonical name record), register the SPN to the server name. For more information, see Configuring Kerberos for DNS Aliases (ANAME and CNAME) on the Customer Portal.

      Note: If the application pool account is a group-managed service account (gMSA), either replace the -U switch with a -C switch OR ensure that a trailing $ is included when specifying the account you’re registering the SPN to. This is needed because gMSAs are more similar to computer accounts than user accounts.

      Note: For more information on setspn syntax and switches, see the Microsoft article on setspn.

  3. On your domain controller, open Active Directory Users and Computers.

  4. Under the domain of the AVEVA PI Vision application server, click Users.

  5. Right-click the name of the AVEVA PI Vision domain account and then click Properties.

  6. In the Properties windows, click the Delegation tab and select settings for the account:

    • Select Trust this user for delegation to specified services only.

    • Select Use Kerberos only for a more secure configuration, or select Use any authentication protocol for a more flexible configuration:

      • Use Kerberos only requires that AVEVA PI Vision authenticate all users with Kerberos. This typically requires that all users connect to AVEVA PI Vision from a Windows computer joined to a trusted Active Directory domain.

      • Use any authentication protocol allows AVEVA PI Vision to authenticate users with NTLM, which may be required in some network topologies or if users connect to AVEVA PI Vision on mobile devices.

  7. Add services for each Data Archive server that AVEVA PI Vision will access.

    1. Click Add to open the Add Services window.

    2. Click Users or Computers.

    3. Enter the name of your Data Archive server that AVEVA PI Vision accesses. If your Data Archive is using a custom service account, search for that name instead. Then click Check Names.

    4. Click OK to return to the Add Services window populated with the list of all service types.

    5. From the Available services list, click PIServer and then click OK to add the SPN for the Data Archive server.

  8. Add services for each PI AF server that AVEVA PI Vision will access.

    Repeat step 7 but enter the name of your PI AF server and click AFServer as the service type.

    Note: If the PI AF server runs as a custom service account, then search for the PI AF server SPN by that service account rather than the machine name.

    The services that you added appear in the Properties window.

  9. Click Apply.

TitleResults for “How to create a CRG?”Also Available in