I have a Report Server running with custom forms authentication and now have problems with Chrome browser not showing custom visuals.
Looking at the Chrome console shows that Chrome blocks cookies if SameSite is not set and Secure(SSL) is not set to true.
This gives me various errors (with status 401) ...
To the enduser looking at a PowerBI report the only problem is that custom visuals are not shown. The rest of the report works as expected.
Paginate reports (Reporting Services) do work without errors.
Safari (iOS), Firefox, Edge (Chromium) and IE11 do not have this problem, but will in the near future as there are warnings that SameSite in not set - but no errors for now.
I set cookieSameSite="None" and requireSSL="true" in my web.config of the login website where my auth cookie is generated.
The same setting I made in the web.config of the Power BI report server, but I think that Power BI Report Server (Mai 2020) is currently not using the samesite setting.
Setting Chrome flags "SameSite by default cookies" to disabled is a workaround for Chrome - but I don't want to tell my users to disable the setting and get a security issue ... 😉
Any thoughts what to change to make Chrome and Custom Visuals work again?
Solved! Go to Solution.
I am not having the same success you are with October 2020..
Let me explain my steps, perhaps I am missing something.
I had previosuly editied my web.config file with the following:
<forms loginUrl="logon.aspx" name="sqlAuthCookie" timeout="60" cookieSameSite="None" requireSSL="true" path="/">
Then I went to my web portal URL in Chrome and navigated to a report with custom visuals and they were still blocked. Verified it was a samesite issue as disabling the feature in Chrome then fixed the issue, but as you said previously that is not a reasonable solution to expect from all users.
I see I can go into the console and find SQLAuthCookie and it is set to secure now but doesnt seem to be set to SameSite = None until I edit in console (which of course fixes problem)
Your web.config seems correct. Just a reminder, these are the steps:
- Update the web.config (your server need to be configured with https to use requireSSL property)
- Restart the server
- From the client get a new cookie (either by using an in-private session, or clearing cookies)
You still dont see the cookie marked with samesite none?
In addition, there was a fix in the October release related to cookies issued with the rest api in which case it was indeed, not respectiting the samesite property. This is fixed as well but requires an update to the latest release.
Let me know if you still experience the same issue.
Thanks for reporting back, that good to know and I will update the sample readme to have this more clearly. Starting with the october release .net 4.8 is a prerequisite.
@gboreki I'm afraid I celebrated too early.
I now am unable to access Paginated Report -> Subscription or Parameter options with the requireSSL="true" option enabled.
I removed the requireSSL="true" property from the sqlAuthCookie in web.config and restarted. This resolved the issue so I know that's the culprit, problem is that I need that property set to true in order to have the sameSite cookie set to None.
Any advice on how to troubleshoot?
Hi @gboreki , thank you for the reply. Yes I updated the web.config and restarted. I know the changes took because now the http web portal gives an error message on sign in saying that the Application requires secure cookies, so there is a definite change. After logging in through my https portal address I still see a null value for SameSite in the Chrome application menu.
InPrivate and cookie clearing do not resolve the issue.. still a null value in the SameSite property.
Setting samesite cookie behavior to secure should resolve it.
We attempted changes to web.config and custom headers (through reporting services), neither appeared to have any impact on SameSite settings. We poked around the Power BI Report Server (May 2020) code and it appears to use .net 4.6. According to this article, https://docs.microsoft.com/en-us/aspnet/samesite/system-web-samesite, SameSite cookie manipulation is only available using .net 4.7.2 and above. We plan to submit a ticket to Microsoft, but in the mean time have found that disabling the following setting in Chrome resolves our problem:
Not an optimal solution in a large enterprise, but better than nothing.
"good" to hear that I'm not alone with this problem.
You did everything I mentioned in my starting post and came to the same conclusions including manipulations to chromes default behavior.
Please let me know if you get some news on a solution or an answer from Microsoft.
Just stopping by to say you are not alone... I as well am running custom auth report server and cannot get any custom visuals working in chrome despite working in every other browser. Talk about frustrating. Hopefully MS fixes this on the next release.
I'm not sure I'd place all of the blame for this problem on Microsoft. The root of the problem is that Google enabled the SameSite "Experimental" feature, by default, on the browser side. Being experimental, I would think they should have disabled it by default.
The most current version of Edge (Chromium) now has the same problem with the default settings!
Setting "SameSite by default cookies" = disabled works as a workaround (like in Chrome).
I do think Microsoft is part of the problem ... ^^
Well, it now appears the latest update to Edge (Chromium) also has the SameSite setting enabled by default on it's "Experimental" settings page. What a poor choice.
I now agree with you that Microsoft is now as culpable in this problem as Google.
So does anyone actually use Power BI Report Server (Mai 2020) with custom authentication (Forms) and has no issues with the most current Chrome browser?
The rest of the common browsers work without errors ...
The errors on Chrome can be seen in the browser console with or without a custom visual - a custom visual in the Power BI report is not rendered.
As a minor problem I get an error (on the console) just opening the Power BI website (/reports/browse) without opening any report - "Manifest: Line: 3, column: 1, Syntax error." - but that seems to be unrelated to the main problem as all browsers show this error.
Any hint where to look for or what to change?
We are running into the same issue with the Chiclet Slicer, did you find a solution?
This is a Microsoft visual too, anyone from MS can opine on this?
I found no solution for the problem - and I made a post on stackoverflow and neither got any answer there.
Maybe the next release (September?) might fix the problem as this is a major problem using forms authentication and custon visuals, that will make custom visual unusable on all browsers in the near future ...