cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
jmillar
Helper I
Helper I

"The username or password is incorrect." error with On Premises Data Gateway

 Hi all;

 

We're receiving the following error in our data gateway:

"GatewayPipelineErrorCode=DM_GWPipeline_UnknownError
InnerType=COMException
InnerMessage=<pi>The following system error occurred: The user name or password is incorrect. </pi>"

 

We have two domains in our org with a full trust between them.  Users in the domain running the gateway server don't appear to have a problem; users from the second domain do.  This problem occurs if the gateway is running under a local machine account or a domain service account.  I'm stuck as to where to look next.  Does anyone have any ideas?

 

Thanks in advance.

Jason

20 REPLIES 20
254664427
New Member

Servers
test
Something went wrong
Technical details:
Activity ID: 821fefe9-e440-4c3a-a407-d5d0c8335f8b
Request ID: 1d7cf39a-c6ac-45ae-c08a-fd6308b9cb62
Date: 2019-12-02 07:42:16Z (UTC)
Error text: The following system error occurred: The user name or password is incorrect.
Cluster URI: https://wabi-australia-east-a-primary-redirect.analysis.windows.net/
 
I have met this error when I try to create a dataset on power bi services.
funny thing is that my connection is successful:
 
v-yuezhe-msft
Microsoft
Microsoft

@jmillar,

What data source do you add within the gateway? Could you please verify that if the user of the second domain can connect to the data source from the machine that hosting the gateway?

Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Thanks @v-yuezhe-msft.

 

The data source is a Sql Server 2016 Analysis Server instance running in tabular mode.

 

The machine hosting the gateway is the same server running the SSAS instance, and the user can connect to the SSAS instance directly without issue -- is that what you're asking?

 

Thanks again, Jason

@jmillar,

Please check that if the user's email address which he uses to sign in Power BI Service matches a defined UPN within the local Active Directory Domain. For more details, please review the following article.

https://docs.microsoft.com/en-us/power-bi/service-gateway-enterprise-manage-ssas


Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

@v-yuezhe-msft

 

Just so I'm sure I understand....

 

So the UPN must be a match in the domain the gateway server resides in?  If it's in another domain, even if there's a full trust between the domain for the gateway server and the domain for the user logging in, it will fail?

 

Thanks for all your help,

Jason

@jmillar,

Do you use one way trust or two-way trust for the two domains? If you use one way trust, the user in second domain may not be mapped correctly in first domain.

Reference:
https://docs.microsoft.com/en-us/power-bi/service-gateway-onprem-tshoot

Regards,

Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi @v-yuezhe-msft -- it's a two-way trust between the two domains.

 

Thanks,

Jason

@jmillar

Could you please use SQL profiler to capture the process? Is the account mapping correctly?

Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi @v-yuezhe-msft;

 

I took a look at the troubleshooting article, and confirmed the following:

  • We have a two way trust set up between the domains
  • The SSAS service account has the AD token mentioned in the article
  • If I connect using SSMS using the EffectiveUserName advanced option, I get the same error.

When using Sql Profiler watching my user in the second domain connect via Power BI online, I see the following before the error is reported:

Discover Begin And End: 

TextData =

 

<RestrictionList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><PropertyName><Value>DbpropMsmdSubqueries</Value><Value>DbpropMsmdOptimizeResponse</Value><Value>DbpropMsmdActivityID</Value><Value>DbpropMsmdCurrentActivityID</Value></PropertyName></RestrictionList>

RequestProperties =

<PropertyList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"/>

@jmillar,

Have you noted that what account is mapped to for the problem account in SQL profiler?

Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Hi @v-yuezhe-msft;

 

Maybe I'm misunderstanding what you're asking.....I'm not sure how to check the account mapping?  On a successful request Profiler shows an item as below for DISCOVER BEGIN:

 

<RestrictionList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><PropertyName>Catalog</PropertyName></RestrictionList>

<PropertyList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><Catalog>PWIMillInventoryTabular</Catalog><Cube>PWI Mill Inventory</Cube><DbpropMsmdOptimizeResponse>9</DbpropMsmdOptimizeResponse><DbpropMsmdActivityID>075B518C-59DB-476A-B8E7-372665269CF6</DbpropMsmdActivityID><DbpropMsmdRequestID>1A7B10F9-B133-4E80-9F30-0E619677FDFE</DbpropMsmdRequestID><DbpropMsmdCurrentActivityID>075B518C-59DB-476A-B8E7-372665269CF6</DbpropMsmdCurrentActivityID><LocaleIdentifier>1033</LocaleIdentifier><EffectiveUserName>jmillar@strathconapaper.com</EffectiveUserName><sspropinitappname>PowerBI</sspropinitappname></PropertyList>

With the failed requests, I'm not seeing an EffectiveUserName.  If I am misunderstanding what you're asking, could you point me in the right direction?

 

Thanks,

Jason

@jmillar,


Does the error go away when you use map user name feature in Power BI Service?

Regards,
Lydia

Community Support Team _ Lydia Zhang
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

@v-yuezhe-msft;

 

The error does go away, but only if I use full NETBIOS domain names in user account mapping.  So if the account I'm trying to give access to is user@brokendomain.com, I have to map that to BROKENDOMAIN.LOCAL\user for it to work.  I have confirmed that user@brokendomain.com is the correct AAD UPN, and that it matches the UPN in the local domain as well (logging in as the user, and running whoami /upn).

 

Mapping the user names would work as a fix, I suppose, if I was able to do it globally -- but that won't work since it's simple string replacement.  Even then, having to add that mapping for each data connection is not really viable.

 

Thanks,

Jason

Anonymous
Not applicable

@jmillar  @v-yuezhe-msft Did you ever get this resolved?  My company is experiencing the exact same error, including the BROKENDOMAIN.LOCAL\user insight (nice catch, by the way!).  As a result, we've had to hold off producing Tabular models until a solution is found.

 

 

@Anonymous @v-yuezhe-msft Unfortunately, I don't have a solution yet.  I've had a formal support ticket open with Microsoft for several months.  I've talked to the following groups (several times):

  • Networking
  • AD
  • SSAS
  • Power BI

It's supposedly been escaled to a senior engineer with priority, yet I've heard from nobody.  I've tried the following:

  • Switched the domain for the SSAS server.  Same problem, only now in reverse
  • Upgraded to 2017 with the latest CU.  Problem persists.

If I every do get this figured out I'll post.  Extremely disappointed with Microsoft's response.

 

J

I got a similar issue today; I could add a SSAS datasource successfully under the gateway, but this error was raised when connecting.

In my case, it was apparently due to unsupported characters in the password!

If you have special characters in your pw, at least give it a try without.

Anonymous
Not applicable

Hi Karel

 

I suspect this isn't the issue in this situation because EffectiveUserName does not correctly work on the SSAS instance, regardless of password.  For example: SSAS's EffectiveUserName functionality requires the fully qualified domain name (e.g., Contoso.Corp\SimonNuss) but the Power BI gateway only provides the normal domain name (e..g, Contoso\SimonNuss).

 

Further, the Power BI gateway "Map user names" functionality does not work because it is not advanced enough to dynamically transform "SimonNuss@Contoso.com" into "Contoso.Corp\SimonNuss".  

Hi all;

 

Just to close the loop on this -- after much back and forth with Microsoft, the issue was narrowed down to SSAS and the way Kerberos handles impersonation authentication.  Basically, to make what we need work, we need to be able to use UPN suffix routing.  Unfortunately, a forest trust is required for this to behave and it's not workable in the two-way trust between our domains.

 

J

KD000
Regular Visitor

@jmillar 

 

I have a similar issue, how do i get this soultion working ? 

 

Just to close the loop on this -- after much back and forth with Microsoft, the issue was narrowed down to SSAS and the way Kerberos handles impersonation authentication.  Basically, to make what we need work, we need to be able to use UPN suffix routing.  Unfortunately, a forest trust is required for this to behave and it's not workable in the two-way trust between our domains

@KD000 @jmillar 
have you this issue solved?

it seems I have similar problem. 
additional thing is, that refresh of dashboard with liveconnection to SSAS-Tabular works ok, the only problem is refresh of dataset with data imported from (the same) SSAS-Tabular.|

I use the same datasource, with the same account etc.
 
What is strange, in sql server profiler, both connections are shown with same NTDomain, NTUserName, but one for liveconnection works fine, and for dataset shows error: The following system error occurred: The user name or password is incorrect.

Helpful resources

Announcements
Power BI December 2021 Update_carousel 768x460.jpg

Check it Out!

Click here to read more about the December 2021 Updates!

Jan 2022 Dev Camp 768x460 copy.png

Power BI Dev Camp- January 27th, 2022

Mark your calendars and join us for our next Power BI Dev Camp!

UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

Top Solution Authors