I'd like to allow PI Vision to search my databases without having the authentification set to "Kerberos". Is it possible?
You could use Basic Authentication.The following is from KB01709:
Basic Authentication is an alternative to using Windows Integrated Security in PI Vision. During basic authentication, end users must manually enter their username and password in their browser to be sent in an unencrypted format to the PI Vision server. With these credentials, PI Vision constructs a Windows token with which it can access the PI AF Server and PI Data Archive. This authentication method precludes the need for Kerberos delegation, making it more easily compatible in multi-domain scenarios. Due to the unencrypted transmission of credentials, it is critical to protect communications with PI Vision using HTTPS and TLS when using basic authentication.
If IIS is on the same node as the Data Archive and AF Server, you could also authenticate with NTLM and PI Vision will impersonate your user to the other resources on the node depending on group policy settings. If the Web Server is on a different node you would need to configure delegation if using WIS.
The following Live Library article shows how to enable Basic authentication: https://livelibrary.osisoft.com/LiveLibrary/content/en/vision-v2/GUID-9CF76AC8-BBB9-4E1C-A77C-63373901E64A
Does this information help? Or are you having an issue with the Web API and/or crawler connecting to the databases?
Could you please let us know the reason why you would like to turn off Kerberos. You can add trust based but it is not recommended. Rather I would suggest creating a service account and set delegation set for the service account and PI system(AF and PI data archive)
Lal Babu Shaik
I'm having quite a lot of trouble whenever I use Kerberos so for now I want to bypass it. I know it's not recommended but I'm building an interface modele which will be improved upon later.
I'll look into PI documentation to see how to implement trusts.
Oops, I was working on a response before I saw your reply. I agree that Kerberos is the recommended authentication method. Basic authentication will also maintain point level security if Kerberos is not an option.
Thanks for the information.
Basic authentication works! It does mess with my requests but I think I can fix them. The Web API and the crawler have no problem connecting to the database, even with Kerberos on. Having Kerberos do stop me from searching the API via a browser.
How good would you say basic authentication and https are in term of security?
Retrieving data ...