1 Reply Latest reply on May 9, 2018 11:11 AM by lmlcoch

    PI Web API account change and gMSA

    Floris Zwaard

      I want to run the PI Web API under a group Managed Service account.

       

      From the PI Web API manual and from past experience with the 2014/2015 and 2016 releases, I know this:

      Changing the Service Account

      Problem: Changing the PI Web API service account after installation causes problems with

      the service: the service may fail to start or fail to serve requests as expected.

      Solution: Run the PI Web API Admin Utility and set the PI Web API service account.

      source: PI Web API

       

      The utility does not allow to leave the password field empty. Not even with adding '$' at the end of the account name.

      From Lubos Mlcoch blog post I see he does changes the account under services.msc(windows services).

      So we did the same in our latest deployment(2017 R2) and it worked!

       

      In the release notes of the PI Web API 2017 R2, I see this line:

      'Merge Channel controller to the core services'

      Does this change have anything to do with the fact that we are allowed to change the Identity(Windows Service account) through windows services in stead of with the Utility only?

        • Re: PI Web API account change and gMSA
          lmlcoch

          It's just a work around.

          We do have a Work Item for official gMSA support, but it hasn't been implemented yet. After changing the account in Services.msc, you still need to run through the PI Web API Admin Tool to grant the necessary permissions to the account. The reason for changing to gMSA via Services.msc is that then the Admin Tool won't ask for account/password combination so it'll be able to finish (and therefore grant necessary permissions to the account).

          1 of 1 people found this helpful