DOCUMENTATIONAPI REFERENCEAI-Link
DownloadsSupport
Loading search results...
Configuring AtScaleSetting up KerberosPower BI Service SSO via Inbound Kerberos

Power BI Service SSO via Inbound Kerberos

After setting up Kerberos connections to XMLA endpoints, you can configure Power BI Service to use Kerberos connections. This document provides an overview about the setup with which AtScale verified how this can be achieved. It is based on the Configure Kerberos-based SSO from Power BI service to on-premises data sources documentation by Microsoft, please refer to it for more details.

Basic configuration

  1. Install and configure the Microsoft on-premises data gateway.

    The on-premises data gateway supports an in-place upgrade and settings takeover of existing gateways.

  2. Obtain domain admin rights to configure SPNs (SetSPN) and Kerberos constrained delegation settings.

    To configure SPNs and Kerberos delegation settings, a domain administrator should avoid granting rights to someone that doesn't have domain admin rights. For more information, see the following section.

  3. Configure the Gateway service account.

    • It is the recommended to run the gateway Windows service as a domain account with SPN, unless you have Azure AD Connect configured and user accounts are synchronized.
    • In a standard installation, the gateway runs as the machine-local service account, NT ServicePBIEgwService.
    • To enable Kerberos constrained delegation, the gateway must run as a domain account, unless your Azure Active Directory (Azure AD) instance is already synchronized with your local Active Directory instance (by using Azure AD DirSync/Connect). To switch to a domain account, see Change the on-premises data gateway service account.

Configuring SPN for the gateway service account

Here, you should first determine whether an SPN was already created for the domain account used as the gateway service account:

  1. As a domain administrator, launch the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.

  2. In the left pane, right-click the domain name, select Find, and then enter the account name of the gateway service account.

  3. In the search result, right-click the gateway service account and select Properties.

  4. If the Delegation tab is visible on the Properties dialog, then an SPN was already created and you can skip to Configure Kerberos constrained delegation.

  5. If there isn't a Delegation tab on the Properties dialog box, you can manually create an SPN on the account to enable it.

    • Use the setspn tool that comes with Windows (you need domain admin rights to create the SPN).

    • For example, suppose the gateway service account is ContosoGatewaySvc and the gateway service is running on the machine named MyGatewayMachine. To set the SPN for the gateway service account, run the following command:

      setspn -S gateway/YourMyGatewayMachine Contoso\GatewaySvc

    • You can also set the SPN by using the Active Directory Users and Computers MMC snap-in.