1 Reply Latest reply on Dec 12, 2016 7:38 AM by gregor

    Question about exactly what tasks require Kerberos over Basic HTTPS authentication


      From following the documentation and some of the other discussions here, I was under the impression that a client needed to authenticate via Kerberos (so, in effect, via a MS Active Directory domain) to access the "Search" API endpoint at all. But this doesn't seem to be the case using the just-launched devdata.osisoft.com demo. For example, a test query like this "https://devdata.osisoft.com/piwebapi/search/query?q=name:Sinusoid does seem to return the correct response, using a client (Postman) that is incapable, at least as I have it configured, of Kerberos auth.


      A guess: Is it the case that *some* web client somewhere has to connect via Kerberos to invoke indexing or re-indexing, but that if this happens it is possible for other web clients to query against the indexed results? Does it depend on how users/delegation are configured on the PI server side? Until now, I've been developing against a test PI system on an Azure VM, which has been a functional approach in many ways, but it has been either impossible or impractical to emulate an enterprise-like IT/security environment with AD domains. As such, we've been unable to explore indexed search until now and remain unable to experiment too much with how server-side/Windows-side configuration might affect the behavior of the endpoints.


      Thanks for any insights, "experimental" or otherwise!