Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Vision™

Enable Kerberos delegation using a default machine account

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
TABLE OF CONTENTS

Enable Kerberos delegation using a default machine account

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedApr 07, 2025
  • 2 minute read

Note: This section doesn't apply if installing in an environment whose end users only use OpenID Connect authentication.

By default, the application pools and Windows services associated with AVEVA PI Vision use the following accounts:

Service

Account

PIVisionAdminAppPool

NT Authority\Network Service

PIVisionServiceAppPool

NT Authority\Network Service

When this configuration is used, the HOST service principal names (SPNs) below must exist for the machine account of the AVEVA PI Vision application server. These SPNs should already exist by default, but you can verify their existence using the setspn -l netbios-server-name command, which returns the following lines:

HOST/netbios-server-name
HOST/fully-qualified-DNS-name

Kernel mode authentication is enabled in Internet Information Services (IIS) by default and it should remain enabled for this configuration.

For more information about SPNs, see the Microsoft TechNet article Service Principal Names.

  1. On your domain controller, open Active Directory Users and Computers.

  2. Select Computers under the domain of the AVEVA PI Vision application server.

  3. Right-click the AVEVA PI Vision application server and select Properties.

  4. In the Properties window, select the Delegation tab and specify a trust setting for the computer. Select the following options:

    • Trust this computer for delegation to specified services only

    • Use any authentication protocol

    Selecting Use any authentication protocol allows for a protocol transition. This allows AVEVA PI Vision to authenticate users with NTLM and still be able to use Kerberos delegation to the services specified in the next step.

  5. Add services for each Data Archive server that AVEVA PI Vision will access.

    1. Select Add to open the Add Services window.

    2. Select Users or Computers.

    3. Enter the name of your Data Archive server and then select Check Names.

    4. Select OK to return to the Add Services window populated with the list of all service types.

    5. From the Available services list, select PIServer and then select OK to add the SPN for the Data Archive server.

  6. Add services for each PI AF server that AVEVA PI Vision will access.

    Repeat step 5 but enter the name of your PI AF server and select AFServer as the service type.

    Note: If the PI AF server runs as a custom service account, then search for the PI AF server SPN by that service account rather than the machine name.

    The services that you added appear in the Properties window.

  7. Select Apply.

TitleResults for “How to create a CRG?”Also Available in