Skip to main content
PISharp

How do I configure Kerberos authentication for PI System?

How do I configure Kerberos authentication for PI System?

Kerberos (Windows Integrated Authentication) is the recommended authentication method for PI System in enterprise environments.

Prerequisites

  • Active Directory domain with a domain controller.
  • PI Data Archive and AF Server joined to the domain.
  • Service accounts for PI services with SPNs registered.

Step 1: Register SPNs

Register Service Principal Names for PI services:

setspn -s piserver/PIDataArchiveHost domain\PIServiceAccount
setspn -s piserver/PIDataArchiveHost.domain.com domain\PIServiceAccount

Step 2: Configure PI Mappings

In PI SMT:

  1. Go to Security > Mappings & Trusts > Mappings.
  2. Create a mapping from the Windows identity to a PI identity.
  3. Example: Map DOMAIN\PIAdmins group to the piadmin PI identity.

Step 3: PI Web API Configuration

In the PI Web API Admin utility:

  1. Set Authentication Method to Kerberos.
  2. Ensure the PI Web API service account has delegation rights in AD.
  3. Configure Constrained Delegation if the Web API needs to impersonate users to PI Data Archive.

Troubleshooting

  • Double-hop issue: PI Web API needs constrained delegation to pass credentials to PI DA.
  • SPN conflicts: use setspn -X to find duplicate SPNs.
  • Clock skew: Kerberos requires clocks synchronized within 5 minutes.
  • Test with klist: run klist tickets to verify Kerberos tickets are being issued.

Fallback

If Kerberos isn't possible (DMZ, cross-domain), use:

  • Basic authentication over HTTPS for PI Web API.
  • PI trusts for non-Windows interfaces.

Want to ask a follow-up?

PiChat can help with your specific PI System use case. Ask follow-up questions, get code examples, and troubleshoot issues.

Ask a Follow-UpTry Without Login

Related Questions

What are the security best practices for PI System?How do I authenticate with PI Web API from Python?

Dive Deeper

Troubleshooting PI Web API Access on Windows Server 2012: The IE Enhanced Security Lesson

More Questions

How do I configure PI AF templates?How do I authenticate with PI Web API from Python?What's the difference between snapshot and archive values in PI?What's the difference between PI Vision and PI ProcessBook?How do I build effective PI Vision displays?What are PI Event Frames and how do I use them?How do I write PI AF Analytics expressions?How do I use PI DataLink in Excel?Should I use PI Web API or AF SDK for my application?How do I write data to PI Data Archive?What are the main components of PI System architecture?How do I optimize PI Data Archive performance?How do I set up the PI Interface for OPC DA?How do I use PI Connector for UFL to import file data?How do I set up PI Data Archive high availability with collectives?What are the security best practices for PI System?How do I migrate PI Data Archive to a new server?How do I connect Power BI to PI System?How do I manage units of measure in PI System?What's the best way to learn PI System?How does PI time syntax work?What are good PI tag naming conventions?How do I access PI System data from Java or Linux?How do I set up PI AF notification rules?How do I use batch requests in PI Web API?How do I connect to PI AF Server using AF SDK in C#?How do I write VBA macros in PI ProcessBook?How does PI data compression work?How do I get real-time streaming updates from PI Web API?How do I troubleshoot PI AF Analysis errors?How do I write SQL queries against PI using PI OLEDB?What is PI interface buffering and how do I configure it?How do I search and query PI Event Frames?What is PI Integrator for Business Analytics?How do I fix the 'Point does not exist' error in PI System?What is the difference between PI ACE and AF Analytics?How do I manually enter data into PI Data Archive?What are AF hierarchy design best practices?What is a WebID in PI Web API and how does it work?Can I deploy PI System in the cloud?How do I calculate summaries (average, total, min, max) in PI?What are PI digital states and how do I use them?How do I connect PI System data to Grafana?How do I backup and restore PI Data Archive?How do I create custom symbols in PI Vision?How do I automate PI System tasks with PowerShell?What is AVEVA Connect and how does it relate to PI System?How do I check and handle data quality in PI System?How do I handle pagination in PI Web API responses?How does AVEVA PI System licensing work?How do I plan a PI System upgrade?