Public computer in Windows Kiosk mode accessing PiVision

If the computer is in the same AD domain as the PI System, then have the computer logged into a standard AD user account and use that to pull up PI Vision. If your system is setup correctly, Kerberos delegation won't require users to re-enter the password of the account if they close the browser.

Yes you are correct and that is the way it is set up currently. The problem with this is that whenever the machine is rebooting I have to log on with the AD user again and I don't want to share the password which means I have to login myself. We have several offices that would like to have a public computer for PiVision, that is why I want to be able to run windows i Kiosk mode so that the login is done automatically at every reboot.

Is it Windows 10/11 or a server? Because you can configure automatic login for specific users.

Hei Pär

I had just written a rather long answer but then my browser crashed, so I'm keeping it short when rewriting it.

Which versions of PI System and PI Vision are you using? In the 2023 versions, there is an introduction of token-based authentication, which could help you in this case. Modern authentication include the use of external identity providers (facebook/google for non-business apps, microsoft etc. for business apps), these support/require two-factor authentication - which is fine if there's an actual user trying to "get in". But in the cases of services or other unattended processes needing to authenticate, there's something called the Client Credentials Flow, f.ex. in Microsoft Azure AD (now MS Entra ID). This allows your IT dept. to set up non-interactive access to a specific process, and this process would then use a provided client_id (user id) and client_secret (password) when authenticating. Since this allows the unattended process to authenticate without a 2FA code, you set the validity period for the client_secret from the server side. I've seen 1 year being used in many situations, meaning the access is only valid for one year - then a new client_secret needs to be generated.

If you set up your public computer without Windows login, I guess you should be able to auto-login and start your browser in fullscreen with kiosk mode, and then have authentication to be done using the client credentials flow.

Have a look at the Modern Authentication section in the PI Vision 2023 release notes

Thank you both for your answers. This is a windows 11 computer and we are using PIVision 2023. Since it is a part of an AD I can't change the log in configuration myself. There are certain policies that prevents me from altering the login. Anyway I was thinking that it might be possible to make special policies for this particular demo user and this specific computer. For example , this user can only log on to this computer, and do not need to sign in with a password or maybe a simple password (lighter password policy). As a second step also tighten the security on the particular machine. I am no expert in Windows Active Directory, but is this possible to achieve? If not I will look in to your suggestion Asle.

I would probably set up another computer than an AD-joined Windows 11 machine for this. If the whole purpose of this machine is to show PI Vision displays, I would look into a single board computer, such as Raspberry PI, and configure it to auto-start the browser with the correct display when the computer starts up. You don't need to connect a keyboard/mouse, just have it run the browser on computer startup. You may need to write a script that does the authentication for you.