3 Replies Latest reply on Oct 12, 2017 12:35 PM by maristone

    Service account(s) for different PI Buffer Subsystem

    andymai

      Hello everyone,

       

      I have more than one interfaces. Do I need to have different service accounts to run PI Buffer Subsystem for them?

       

      In this course, the PI DA and PI interface node are in the same domain. In our organization, the interface nodes are usually in control network domain which is separated from the IT domain in which the PI DA resides. How would I create the map between the service account in control network domain and the PI identity for buffering in the IT domain?

       

      Any thoughts?

       

      Thank you.

       

      Andy M

       

        • Re: Service account(s) for different PI Buffer Subsystem
          maristone

          Hi Andy,

           

          You would not need to create a different service account to run the PI Buffer System.  In your situation (as we discussed this in office hours) since your interfaces are on the same node they both will actually send data under the same buffering service.

           

          If your interface and Data Archive are on separate domains then it will likely not be as straight forward to create a mapping.  The reason is both the interface and the Data Archive need to be able to recognize the account running Buffering and authenticate it.  There are options like using Windows Credential Manager but this would be something you would need to discuss with your IT to find out if they have anything already in place for cross domain authentication.

           

          Regards,

           

          Menotti Aristone

            • Re: Service account(s) for different PI Buffer Subsystem
              andymai

              Thank you Menotti. I just want to extend the discussion a little more. There is a PI Server_A in Domain_A and PI Server_B in Domain_B. There are PI2PI interfaces in those servers to send data to a Server_C in in Domain_C. IT set up trusts in the background among all three domains. My questions are:

              1. Can I map a service account in Domain_A to a PI Identity in Domain_C?

              2. If yes, do I need two separate PI Identities in Server_C, one for mapping from Server_A service account, one for mapping from Server_B service account?

              3. What would be different if I have PI2PI interfaces running in Server_C (pulling data instead of pushing)? Is there any mapping/trust needed between the servers?

               

              Thanks again,

               

              Andy Mai

                • Re: Service account(s) for different PI Buffer Subsystem
                  maristone

                  Hi Andy,

                   

                  So if your architecture for the PI to PI interfaces is there is a PI to PI interface sending data from Server A to Server B, and another PI to PI interface sending data from Server A to Server C then the answer to your questions will be as follows:

                   

                  1.  It is possible that you could map a service account but like I said in the early response that account needs to be present on both machines.  For example if you run buffering on PI Server as the account ServerA\BufferServiceAcct then Server B would need to be able to authenticate that account.  Something like Windows Credential Manager could be used to manage accounts across domains.  Click here (Credential Manager (Windows) for more information.

                   

                  2.  You are able to use one identity for multiple mappings.  So if you had two things connecting to Server C then you would need two mappings but each of those could point to the same PI Identity.

                   

                  3.  If you are pulling data rather than pushing nothing security wise would need to change.  The interface (and buffering if used) will need to be able to read data from the source server and write data to the destination server.  We generally recommend pushing data though see this KB for more information (https://techsupport.osisoft.com/Troubleshooting/KB/KB00266/).

                   

                  Regards,

                   

                  Menotti Aristone