Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
Juramirez
Resolver I
Resolver I

Parsing WS-Trust Power BI embedded

Hi all

 

I'm having a problem when embedding a report, the following excepction appears:

parsing_wstrust_response_failed: Parsing WS-Trust response failed 

 

What could it be?

 

Regards

J.

14 REPLIES 14
v-ljerr-msft
Employee
Employee

Hi @Juramirez,

 

Could you do some debugging on your application to find out which code you're using is throwing this error, and post the code here? So that we can better assist on this issue. Smiley Happy

 

Regards

Hi @v-ljerr-msft

 

Thanks for reply. This is the code that is giving me the exception:

 

var authenticationResult = await authenticationContext.AcquireTokenAsync("https://analysis.windows.net/powerbi/api", "CLIENT ID FROM AZURE", credential);

It works inside a development server but in a production server it marks the exception. How can I solve it? Why is it happening?

 

Regards

JR

Hi @v-ljerr-msft. Any update about this? Still facing this problem :S

 

Regards

J.

Anonymous
Not applicable

Any update on this please? Sitting with the same problem...

Hello, we are facing the same issue. Any update?

Anonymous
Not applicable

DId an nslookup on analysis.windows.net.... No answer. Strange, this is...

In our case, ADFS was blocked for passive authentication requests from outside the network. 

 

Try to enable ADAL logging to check where the error comes from.

Anonymous
Not applicable

Seems you're right. Busy troubleshooting with MS and it seems to be related to ADFS. They also suggested direct authentication. More updates to follow...

@Anonymous, Can you please update how this issue is being addressed? applying HRD policy is not an option our security guys are entertaining. 

Anonymous
Not applicable

 

 

The sample I'm using is using Resource owner password credentials flow for authentication. With this authentication flow, my application just sends the username and password to Azure AD. However, Azure AD using WS-Trust with ADFS to send username or password. However the ROPC has some limitations and it may not work for this federated user accounts.

 

Microsoft suggests this:

 

You can try to use Direct Authentication for federated user accounts if you cannot use WS-trust.

 

Azure AD has turned off the ability (by default) for customers to utilize the legacy-based authentication method of Direct Authentication for federated user accounts.

 

Direct Authentication for federated user accounts is the means of utilizing an Azure AD stored Password Hash to authenticate a federated user directly with Azure AD and retrieving a token from us without being sent to the Identity Provider for the account. As you probably have noticed, this ‘feature’ isn’t the best from a security perspective.

 

There is a way to turn this back on for the customer but we recommend you only do so on a per-app basis since the nature of this change will open the customer up to legacy authentication mechanisms for their entire tenant. The script supplied to customers who have one (1) application to turn this on with is as follows:

 

  1. Enable both of Password hash synchronization and  Federation with ADFS in Azure AD Connect sync.
  1. Install the Azure AD Preview PowerShell Module.
  1. Run the following line-by-line (making sure the variable $sp doesn’t have more than 1 application as a result)

Connect-AzureAD

$sp = Get-AzureADServicePrincipal -SearchString "Name_Of_Application"

$policy = New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuth -Type HomeRealmDiscoveryPolicy -IsOrganizationDefault $false

Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

 

HTH!

Hello, we are facing the same issue. Any update?

Hi @Juramirez,

 

Did you ever get this working?  I have similar problem - except my error on the "AcquireTokenAsync" call is: "Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: parsing_wstrust_response_failed: Parsing WS-Trust response failed".

 

I can make it work, sort of, if:  1) I revert to a much older install of "Microsoft.IdentityModel.Clients.ActiveDirectory" (one WITHOUT the Async method), and 2) I use AcquireToken (not AcquireTokenAsync).  Of course, then I get prompted for credentials.

 

Thanks,

Greg

 

Hi @Juramirez,

 

Have you found a solution to this yet?  I'm facing the same exact issue.

 

The only way I could get the embedding to "work" was use an older version of "Microsoft.IdentityModel.Clients.ActiveDirectory", which uses AcquireToken() instead of AcquireTokenAsync() - but the user is prompted for credentials since they can't be passed (or, I have figured out how to pass them).

 

Thanks,

Greg

 

Hi @Juramirez,

 

Did you ever get this resolved?  I'm facing exact same issue. 

 

The only way I've gotten the embedding to "work" is to use an older version of the "Microsoft.IdentityModel.Clients.ActiveDirectory" NuGet package - one WITHOUT the AcquireTokenAsync() call, it just has AcquireToken().  But this brings up the credentials prompt.

 

Thanks,

Greg

 

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.