Enable Kerberos delegation
- Last UpdatedJan 31, 2025
- 2 minute read
Note: This section doesn't apply if installing in an environment whose end users only use OpenID Connect authentication.
To enable AVEVA PI Vision to connect using Windows Integrated Security (WIS), configure Kerberos delegation for the AVEVA PI Vision application server. In most organizations, Kerberos delegation is typically enabled by an IT administrator. Kerberos delegation also requires configuration for PI AF server. For more information, see the PI AF and Kerberos section of the PI AF server help.
To learn more about Kerberos delegation, see the Microsoft article Microsoft Kerberos.
The procedures to configure constrained delegation assume you are accessing the web server with a NetBIOS name, such as https://webServer/PIVision.
Note: If you are using a custom host name instead of a NetBIOS name, see the Microsoft Developer article Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5.
If your system components meet the necessary requirements, you may alternatively opt to configure resource-based constrained delegation using Active Directory cmdlets in PowerShell. For more information, see Configure resource-based constrained delegation. To enable resource-based constrained delegation, both the front-end and back-end account domains must have Server 2012 level or higher KDCs. The front-end server must be running on a Microsoft Windows Server 2012 or later operating system.
In some cases, you may want to use a custom DNS Alias rather than the machine name to access the AVEVA PI Vision application. Using a custom DNS Alias impacts AVEVA PI Vision in the following ways:
-
Kerberos authentication: See Configuring Kerberos for DNS Aliases (ANAME and CNAME) for additional details.
-
Search capability: Configuring PI Vision to be accessed by a DNS Alias
Follow the appropriate procedure, depending on your type of service account.