Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ PI Vision™

TABLE OF CONTENTS

Set up Kerberos delegation

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedApr 07, 2025
  • 2 minute read

Note: This section and its subsections don't apply if installing in an environment whose end users only use OpenID Connect authentication.

In this phase of the installation, you configure Data Archive server authentication for AVEVA PI Vision through Windows Integrated Security (WIS). We recommend that you configure WIS by enabling Kerberos delegation. Kerberos delegation is a network authentication protocol that allows users in a distributed application environment to securely access remote data sources. Kerberos delegation is designed to provide strong authentication for client/server applications by using secret key cryptography. Clients obtain tickets from the Kerberos Key Distribution Center and provide these tickets to servers when connections are established.

WIS requires that you use PI mappings to authenticate users on the Data Archive server. If you are not already using PI mappings to authenticate Data Archive server users, then you first need to set up the requisite PI mappings. See Map the PI identity to the service account.

Caution: We recommend using PI mappings to configure authentication rather than using PI trusts.

If you support AVEVA PI Vision users on mobile devices and you use WIS to authenticate Data Archive server users, you also need to Secure your PI Vision site with HTTPS (if you have not done so) and perform Basic authentication. After enabling Kerberos delegation, follow the instructions in PI Data Archive server authentication on mobile devices.

For the following functionality, Kerberos constrained delegation must be configured between the AVEVA PI Vision application server and the PI AF server, or Basic authentication must be configured for the AVEVA PI Vision web application:

  • Event acknowledgement and annotation

  • Event search criteria

  • Collection search criteria

  • Asset-comparison-table search criteria

The SearchFilterValueSecurity setting in the web.config file controls the behavior of search criteria when filtering on attribute values. This setting is not included by default; if it is required, it must be added manually. To add this setting, add the following entry to the web.config file in the PI Vision root installation folder:

<add key="SearchFilterValueSecurity" value="Auto"/>

The following are valid values:

  • Auto

    Impersonate the current user if the data reference source has its own security configuration.

  • System

    Always use the system identity set in the application pool account.

  • Disable

    Do not allow attribute value filtering.

For information on configuring Kerberos delegation in PI AF server, see PI AF and Kerberos in the PI AF server help.

TitleResults for “How to create a CRG?”Also Available in