There is a discrepancy between the PDF and online versions of the documentation: Task 2: Enable Service account for Kerberos Constrained Delegation. It should be "Use Kerberos only" for both.
The answer to your following to questions is yes. Are you running into issues?
Thank you for your reply.
I don't see any discrepancy between the PDF and the online version. They are exactly the same.
- Answer 1 and 3 is clear. Thank you.
I have done several Coresight installations where delegation for the Coresight service account has to be set for the PI server and the AF service account as well. But adding the service account(in this case the 'PI Integrator Service Account') to it's own delegation seems odd! Also the screenshots in the manual do not show that the service account itself is added.
If you run into an issue where you can not set up another delegation, because you have more stuff on 1 server node. It might be a good idea to start using the new 'Resource based constrained delegation' for the PI Integrator for business analytics.
At first it might look difficult because you have to go back in using commands (in PowerShell) in stead of using a nice GUI.
But I hope with the KN 01222 of OSIsoft and this screenshot it is a piece of cake.
The active directory user account for PI Integrator for Business Analytics in the screenshot is; 'piintbasa' and
the active directory user account for AF server is; 'afservice'
Resource Based Delegation is amazing, but keep in mind the requirements: Server 2012+ required on all involved KDCs and the front-end machine (in this case, the Integrator).
1 of 1 people found this helpful
I like to add to my post the case where you want to use gMSA(group managed service account) in stead of a normal user account.
In stead of get-ADuser and set-ADuser, you have to use get-ADServiceAccount and set-ADServiceAccount.