Authentication methods

PI Web API supports the following authentication methods:

• Kerberos

• Basic

• Bearer

• Anonymous

The PI Web API configuration item AuthenticationMethods takes an array of authentication methods, which means multiple authentication methods can be specified. If multiple methods are enabled, and multiple authentication types are supplied in a single request, many browsers select Basic authentication. However, if Anonymous authentication is one of the many enabled methods, it overrides other authentication types. For information on setting PI Web API configuration items, see Configuration at runtime.

Note: Certain authentication methods cannot be combined together. For example, Bearer and Kerberos are mutually exclusive. See Configure installation settings for additional information on configuring authentication methods.

• Kerberos

  Kerberos is the only authentication mechanism that is enabled by default in PI Web API. Kerberos provides per-user security that is native to Windows and Active Directory, and that is well supported in Microsoft clients. Kerberos does not rely on credentials being transmitted across the wire, which makes it ideal for use with untrusted connections.

  Use of Kerberos authentication requires the correct configuration of Active Directory delegation for the account hosting the PI Web API service in Active Directory. Correctly configured delegation requires that an Active Directory Domain Administrator grant delegation privileges to the account hosting PI Web API (or in the case of the default virtual service account, to the computer account of the computer hosting PI Web API). Correctly configured delegation also requires that Service Principal Names be correctly set on the account hosting PI Web API. Refer to Commonly encountered problems for detailed steps for resolving issues related to Kerberos delegation.

• Basic

  Basic authentication is defined in the Request for Comments document RFC 2617 HTTP Authentication and is widely supported across vendors, platforms, and HTTP clients. Basic authentication as implemented in PI Web API is simple to use, provides granular, per-user security based on Windows identity, and can help avoid configuration problems like those related to Kerberos delegation. When combined with SSL, as in all PI Web API requests, Basic authentication is reasonably secure.

  However, basic authentication is less secure than Kerberos, since Windows user credentials must be included in and are transmitted with each request. In addition, Basic authentication requires that PI Web API keeps the decrypted username and password in memory for the duration of the request. Even after the request is completed, the credentials can continue to reside in memory until new data takes its place in memory. You should not use Basic authentication unless you are confident of the security of the server on which you are running PI Web API.

• Bearer

  Bearer authentication uses the OpenID Connect protocol to obtain information about the user.

  Clients use an access token obtained from the AVEVA Identity Manager (AIM) Server in the header to identify the user.

  Note: The AVEVA Identity Manager (AIM) server is required to use Bearer as an authentication method. AIM is a standalone authentication server which needs to be installed and configured to work with the PI Web API. For more information on installing and configuring AIM, refer to the AVEVA PI Server™ Installation and Configuration guide.

• Anonymous

  Anonymous indicates no authentication at all on requests to the PI System from the PI Web API. All requests against PI Web API that use Anonymous authentication are served using the Windows account that hosts PI Web API (by default, the virtual service account NT Service\piwebapi).

  We discourage the use of the Anonymous authentication setting. When Anonymous authentication is enabled, we strongly recommend using Read-only mode for PI Web API.