AnsweredAssumed Answered

Question about exactly what tasks require Kerberos over Basic HTTPS authentication

Question asked by calarrick on Dec 11, 2016
Latest reply on Dec 12, 2016 by gregor

From following the documentation and some of the other discussions here, I was under the impression that a client needed to authenticate via Kerberos (so, in effect, via a MS Active Directory domain) to access the "Search" API endpoint at all. But this doesn't seem to be the case using the just-launched devdata.osisoft.com demo. For example, a test query like this "https://devdata.osisoft.com/piwebapi/search/query?q=name:Sinusoid does seem to return the correct response, using a client (Postman) that is incapable, at least as I have it configured, of Kerberos auth.

 

A guess: Is it the case that *some* web client somewhere has to connect via Kerberos to invoke indexing or re-indexing, but that if this happens it is possible for other web clients to query against the indexed results? Does it depend on how users/delegation are configured on the PI server side? Until now, I've been developing against a test PI system on an Azure VM, which has been a functional approach in many ways, but it has been either impossible or impractical to emulate an enterprise-like IT/security environment with AD domains. As such, we've been unable to explore indexed search until now and remain unable to experiment too much with how server-side/Windows-side configuration might affect the behavior of the endpoints.

 

Thanks for any insights, "experimental" or otherwise!

Outcomes