I am working with a customer to set up interfaces on remote sites to connect with their central PI DA server. They would prefer to use WIS (Kerberos) for comms between the interfaces and PI, as it is more secure than the other available mechanisms such as PI trusts, replicated accounts on client/server, or Windows Credential Manager. However, the client (interface nodes) are each in their own DMZ domain which is different from the standard corporate domain that the PI Server is in. The DMZ domains trust the corporate domain but not vice versa.
The main article I can find discussing this (https://customers.osisoft.com/s/knowledgearticle?knowledgeArticleUrl=KB00354) insists that the server domain must trust the client domain in order for Kerberos authentication to work. However it seems more intuitively correct for the more vulnerable remote site domain to trust the server (corporate) domain, as in this case.
Is there any way to configure WIS so that straight WIS authentication will work? E.g. can a service on the interface node (in the DMZ domain) be run using an account in the corporate domain which it trusts?