cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
martinlarsson
Helper III
Helper III

Authenticate with client certificate

Today we are using Sharepoint and SSRS (Sharepoint mode). Authentication is handled by smart cards and client certificate. Once the user is logged in, it uses a system account (in Sharepoint) and the user is basically anonymous. A user specific token is fetched (server side ASP.Net) by Sharepoint once the user logged in and is appended to the links to the reports as a query parameter. When the user views a report the token is used as an argument to a stored procedures which determines what content the user gets to see in the report.

 

What we want

The portal will be an ASP.Net Core application with Angular on the front end and I will embed reports from our on premise PBI Report Server using an iframe.

 

The requirement is, as is today, that the users should be authenticated with smart cards with the help of client certificates. This is not an issue on the portal side with custom authentication and a custom users table in our database. My concern is when the user wants to view an embedded (iframe) report.

One alternative is as what we have today, the user is anonymous, ie all users in PBI Report Server sees everything. And we use query parameters to filter data in the reports. This is very easily hacked just by looking in the source code of the page. Changing the query parameter reveals all information. additionally the filter pane to the right is populated by the filter and easily manipulated. An what I hear is you cannot hide the filter pane.

The best alternative would be to create a custom authentication module for the PBI RS which we could pass some object/token/whatever to from the ASP.Net portal to ensure who the user is. If this was possible it would then be possible to use Row Level Security.

 

Is this possible? What would your suggestion be? How would I do this? How do I map the user from the portal to a user in PBI RS?

1 ACCEPTED SOLUTION

Finally I found a solution by myself "out of the box". Well, not really OOTB -  I had to take many hurdles - but it works.
Namely with Web Application Proxy (WAP), a feature in Windows Server 2016 (SSRS/PBIRS needs 2016), and Active Directory Federation Services (ADFS). I used this documentation: If you publish "https://reports.contoso.com/" (and not only "https://reports.contoso.com/reports/") you have a full-featured PBIRS accessible from extranet and authentication possible via Forms auth, Client certificate and even MFA:
https://docs.microsoft.com/en-us/power-bi/consumer/mobile/mobile-oauth-ssrs 

View solution in original post

5 REPLIES 5
gerald_bauer
Advocate I
Advocate I

Hi Martin!

Did you get a solution for that?

I am also searching for Client Certificate Authentication (although against Active Directory).

Not really. The answer given by v-qiuyu-msft made me spend a few days looking into the custom authentication. I got the example running but I could not figure out how to combine that with client certificate authentication. Maybe it is doable but I do not have the skills for it.

 

The other path forward I think is to roll your own portal with custom authentication on regular ASP.net or your stack of choice. Then purchase PBI Premium and make use of the Javascript library that lets you send some sort of user token from your application into the embedded PBI report. That way I think you can use what ever authentication you like backed up by a custom users persistance.

 

In my project we probably will publish all reports we can to the web. The more sensative reports will be published on a portal built by a private company that in turn has a PBI Premium account.

Seems that I have to ask our internal software developers for a solution. Such a shame that Microsoft components don't work together out of the box.

Finally I found a solution by myself "out of the box". Well, not really OOTB -  I had to take many hurdles - but it works.
Namely with Web Application Proxy (WAP), a feature in Windows Server 2016 (SSRS/PBIRS needs 2016), and Active Directory Federation Services (ADFS). I used this documentation: If you publish "https://reports.contoso.com/" (and not only "https://reports.contoso.com/reports/") you have a full-featured PBIRS accessible from extranet and authentication possible via Forms auth, Client certificate and even MFA:
https://docs.microsoft.com/en-us/power-bi/consumer/mobile/mobile-oauth-ssrs 

View solution in original post

v-qiuyu-msft
Community Support
Community Support

Hi @martinlarsson,

 

Power BI report server does support custom authentication: 

https://github.com/Microsoft/Reporting-Services/tree/master/CustomSecuritySample

 

Best Regards,
Qiuyun Yu

Community Support Team _ Qiuyun Yu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Helpful resources

Announcements
UG GA Amplification 768x460.png

Launching new user group features

Learn how to create your own user groups today!

November Power BI Update 768x460.png

Check it Out!

Click here to read more about the November 2021 Updates!

M365 768x460.jpg

Microsoft 365 Collaboration Conference | December 7–9, 2021

Join us, in-person, December 7–9 in Las Vegas, for the largest gathering of the Microsoft community in the world.