• State Verified Answer
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 943 views
  • Users 0 members are here
Options
Related

PI Vision AD User Authentication

JaredGoretzky

HI,

We have been using local users configured in the PI User Group to allow access to PI Vision.  We are now moving to AD Authentication. Is the process as simple as adding domain users on the AD to the Local User folder?  Only other documentation I saw was in Live Library in regards to the ADMIN group: PI Vision

 

Thoughts?

 

Thanks,

Jared

  • 0

    Hi Jared,

    You are correct that the local PI Vision Users group is used to authorize clients in IIS. So if the client is authenticating with an AD user who is in that local group it should be that simple! For PI security, you need to make sure the users have a valid mapping so they can search for and access tags and attributes. You also need to configure delegation if using WIS from the web server to the Data Archive and AF Server to maintain point level security (assuming the webserver and DA/AF are on separate nodes).

     

    KB01223 has more information on configuring browser security

    This Live Library article has more information on enabling Kerberos delegation

  • 0

    Dear Jared,

    I need your assistance, I just read your message, my case is different, we would like to implement PI Vison out the AD environment as your current situation. Is possible to share your experience with me please? The main issue we have now is how to setup user's authentication locally. We have PI DA & AF installed in the same server and PI Vision will be installed on another saver but both servers are in the same network. But clients should access PI Data resources from the Business network passing through the Firewall.

  • 0 in reply to anguemamiko

    Assuming that you're not using AVEVA PI Server 2023, then Kerberos delegation is required to allow users to properly retrieve data from the Data Archive & Asset Framework servers Setting up Kerberos delegation (aveva.com). It may be possible to do domain trusts between the two networks to get Kerberos Delegation working, but I'm not 100% on that.

     

    The best solution is to bring the data up from the lower environment to a separate system in the business network so that users can access it. PI Server 2023 may make things a little easier, but the IDP needs to be accessible in both networks for authentication to work.