Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Anonymous
Not applicable

Authenticate with client certificate

‎11-16-2017 04:24 AM

Today we are using Sharepoint and SSRS (Sharepoint mode). Authentication is handled by smart cards and client certificate. Once the user is logged in, it uses a system account (in Sharepoint) and the user is basically anonymous. A user specific token is fetched (server side ASP.Net) by Sharepoint once the user logged in and is appended to the links to the reports as a query parameter. When the user views a report the token is used as an argument to a stored procedures which determines what content the user gets to see in the report.

 

What we want

The portal will be an ASP.Net Core application with Angular on the front end and I will embed reports from our on premise PBI Report Server using an iframe.

 

The requirement is, as is today, that the users should be authenticated with smart cards with the help of client certificates. This is not an issue on the portal side with custom authentication and a custom users table in our database. My concern is when the user wants to view an embedded (iframe) report.

One alternative is as what we have today, the user is anonymous, ie all users in PBI Report Server sees everything. And we use query parameters to filter data in the reports. This is very easily hacked just by looking in the source code of the page. Changing the query parameter reveals all information. additionally the filter pane to the right is populated by the filter and easily manipulated. An what I hear is you cannot hide the filter pane.

The best alternative would be to create a custom authentication module for the PBI RS which we could pass some object/token/whatever to from the ASP.Net portal to ensure who the user is. If this was possible it would then be possible to use Row Level Security.

 

Is this possible? What would your suggestion be? How would I do this? How do I map the user from the portal to a user in PBI RS?

Message 1 of 6
11,678 Views
0
1 ACCEPTED SOLUTION
gerald_bauer
Advocate I
Advocate I
In response to gerald_bauer

‎11-16-2018 02:43 AM

Finally I found a solution by myself "out of the box". Well, not really OOTB -  I had to take many hurdles - but it works.
Namely with Web Application Proxy (WAP), a feature in Windows Server 2016 (SSRS/PBIRS needs 2016), and Active Directory Federation Services (ADFS). I used this documentation: If you publish "https://reports.contoso.com/" (and not only "https://reports.contoso.com/reports/") you have a full-featured PBIRS accessible from extranet and authentication possible via Forms auth, Client certificate and even MFA:
https://docs.microsoft.com/en-us/power-bi/consumer/mobile/mobile-oauth-ssrs 

View solution in original post

Message 6 of 6
10,819 Views
5 REPLIES 5
gerald_bauer
Advocate I
Advocate I

‎05-03-2018 07:00 AM

Hi Martin!

Did you get a solution for that?

I am also searching for Client Certificate Authentication (although against Active Directory).

Message 3 of 6
11,360 Views
0
Anonymous
Not applicable
In response to gerald_bauer

‎05-03-2018 07:25 AM

Not really. The answer given by v-qiuyu-msft made me spend a few days looking into the custom authentication. I got the example running but I could not figure out how to combine that with client certificate authentication. Maybe it is doable but I do not have the skills for it.

 

The other path forward I think is to roll your own portal with custom authentication on regular ASP.net or your stack of choice. Then purchase PBI Premium and make use of the Javascript library that lets you send some sort of user token from your application into the embedded PBI report. That way I think you can use what ever authentication you like backed up by a custom users persistance.

 

In my project we probably will publish all reports we can to the web. The more sensative reports will be published on a portal built by a private company that in turn has a PBI Premium account.

Message 4 of 6
11,357 Views
gerald_bauer
Advocate I
Advocate I
In response to Anonymous

‎05-03-2018 10:51 PM

Seems that I have to ask our internal software developers for a solution. Such a shame that Microsoft components don't work together out of the box.

Message 5 of 6
11,341 Views
0
gerald_bauer
Advocate I
Advocate I
In response to gerald_bauer

‎11-16-2018 02:43 AM

Finally I found a solution by myself "out of the box". Well, not really OOTB -  I had to take many hurdles - but it works.
Namely with Web Application Proxy (WAP), a feature in Windows Server 2016 (SSRS/PBIRS needs 2016), and Active Directory Federation Services (ADFS). I used this documentation: If you publish "https://reports.contoso.com/" (and not only "https://reports.contoso.com/reports/") you have a full-featured PBIRS accessible from extranet and authentication possible via Forms auth, Client certificate and even MFA:
https://docs.microsoft.com/en-us/power-bi/consumer/mobile/mobile-oauth-ssrs 

Message 6 of 6
10,820 Views
v-qiuyu-msft
Community Support
Community Support

‎11-17-2017 01:44 AM

Hi @Anonymous,

 

Power BI report server does support custom authentication: 

https://github.com/Microsoft/Reporting-Services/tree/master/CustomSecuritySample

 

Best Regards,
Qiuyun Yu

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 6
11,665 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All