We're receiving the following error in our data gateway:
InnerMessage=<pi>The following system error occurred: The user name or password is incorrect. </pi>"
We have two domains in our org with a full trust between them. Users in the domain running the gateway server don't appear to have a problem; users from the second domain do. This problem occurs if the gateway is running under a local machine account or a domain service account. I'm stuck as to where to look next. Does anyone have any ideas?
Thanks in advance.
What data source do you add within the gateway? Could you please verify that if the user of the second domain can connect to the data source from the machine that hosting the gateway?
The data source is a Sql Server 2016 Analysis Server instance running in tabular mode.
The machine hosting the gateway is the same server running the SSAS instance, and the user can connect to the SSAS instance directly without issue -- is that what you're asking?
Thanks again, Jason
Please check that if the user's email address which he uses to sign in Power BI Service matches a defined UPN within the local Active Directory Domain. For more details, please review the following article.
Just so I'm sure I understand....
So the UPN must be a match in the domain the gateway server resides in? If it's in another domain, even if there's a full trust between the domain for the gateway server and the domain for the user logging in, it will fail?
Thanks for all your help,
Do you use one way trust or two-way trust for the two domains? If you use one way trust, the user in second domain may not be mapped correctly in first domain.
Could you please use SQL profiler to capture the process? Is the account mapping correctly?
I took a look at the troubleshooting article, and confirmed the following:
When using Sql Profiler watching my user in the second domain connect via Power BI online, I see the following before the error is reported:
Discover Begin And End:
<RestrictionList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><PropertyName><Value>DbpropMsmdSubqueries</Value><Value>DbpropMsmdOptimizeResponse</Value><Value>DbpropMsmdActivityID</Value><Value>DbpropMsmdCurrentActivityID</Value></PropertyName></RestrictionList>
<PropertyList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"/>
Have you noted that what account is mapped to for the problem account in SQL profiler?
Maybe I'm misunderstanding what you're asking.....I'm not sure how to check the account mapping? On a successful request Profiler shows an item as below for DISCOVER BEGIN:
<RestrictionList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><PropertyName>Catalog</PropertyName></RestrictionList> <PropertyList xmlns="urn:schemas-microsoft-com:xml-analysis" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><Catalog>PWIMillInventoryTabular</Catalog><Cube>PWI Mill Inventory</Cube><DbpropMsmdOptimizeResponse>9</DbpropMsmdOptimizeResponse><DbpropMsmdActivityID>075B518C-59DB-476A-B8E7-372665269CF6</DbpropMsmdActivityID><DbpropMsmdRequestID>1A7B10F9-B133-4E80-9F30-0E619677FDFE</DbpropMsmdRequestID><DbpropMsmdCurrentActivityID>075B518C-59DB-476A-B8E7-372665269CF6</DbpropMsmdCurrentActivityID><LocaleIdentifier>1033</LocaleIdentifier><EffectiveUserName>email@example.com</EffectiveUserName><sspropinitappname>PowerBI</sspropinitappname></PropertyList>
With the failed requests, I'm not seeing an EffectiveUserName. If I am misunderstanding what you're asking, could you point me in the right direction?
Does the error go away when you use map user name feature in Power BI Service?
The error does go away, but only if I use full NETBIOS domain names in user account mapping. So if the account I'm trying to give access to is firstname.lastname@example.org, I have to map that to BROKENDOMAIN.LOCAL\user for it to work. I have confirmed that email@example.com is the correct AAD UPN, and that it matches the UPN in the local domain as well (logging in as the user, and running whoami /upn).
Mapping the user names would work as a fix, I suppose, if I was able to do it globally -- but that won't work since it's simple string replacement. Even then, having to add that mapping for each data connection is not really viable.
@Anonymous @v-yuezhe-msft Unfortunately, I don't have a solution yet. I've had a formal support ticket open with Microsoft for several months. I've talked to the following groups (several times):
It's supposedly been escaled to a senior engineer with priority, yet I've heard from nobody. I've tried the following:
If I every do get this figured out I'll post. Extremely disappointed with Microsoft's response.
I got a similar issue today; I could add a SSAS datasource successfully under the gateway, but this error was raised when connecting.
In my case, it was apparently due to unsupported characters in the password!
If you have special characters in your pw, at least give it a try without.
I suspect this isn't the issue in this situation because EffectiveUserName does not correctly work on the SSAS instance, regardless of password. For example: SSAS's EffectiveUserName functionality requires the fully qualified domain name (e.g., Contoso.Corp\SimonNuss) but the Power BI gateway only provides the normal domain name (e..g, Contoso\SimonNuss).
Further, the Power BI gateway "Map user names" functionality does not work because it is not advanced enough to dynamically transform "SimonNuss@Contoso.com" into "Contoso.Corp\SimonNuss".
Just to close the loop on this -- after much back and forth with Microsoft, the issue was narrowed down to SSAS and the way Kerberos handles impersonation authentication. Basically, to make what we need work, we need to be able to use UPN suffix routing. Unfortunately, a forest trust is required for this to behave and it's not workable in the two-way trust between our domains.
I have a similar issue, how do i get this soultion working ?
Just to close the loop on this -- after much back and forth with Microsoft, the issue was narrowed down to SSAS and the way Kerberos handles impersonation authentication. Basically, to make what we need work, we need to be able to use UPN suffix routing. Unfortunately, a forest trust is required for this to behave and it's not workable in the two-way trust between our domains
have you this issue solved?
it seems I have similar problem.
additional thing is, that refresh of dashboard with liveconnection to SSAS-Tabular works ok, the only problem is refresh of dataset with data imported from (the same) SSAS-Tabular.|
I use the same datasource, with the same account etc.
What is strange, in sql server profiler, both connections are shown with same NTDomain, NTUserName, but one for liveconnection works fine, and for dataset shows error: The following system error occurred: The user name or password is incorrect.