Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Abdelmajid
Helper I
Helper I

Prompt all users to enter AD credentials when accessing PBIRS reports

‎09-14-2020 06:48 PM

Hi,

 

We have an on premise PBIRS environment which is using the default windows authentication. Is there a way to give every user to be promoted to enter username and password?

 

Thanks.

Message 1 of 10
4,237 Views
0
1 ACCEPTED SOLUTION
d_gosbell
Super User
Super User
In response to Abdelmajid

‎09-24-2020 07:30 PM

Yes, kiosk PCs are a slightly different use case. If you want EVERYONE that connects to PBIRS to be prompted then you could switch from using Windows auth to using Basic auth (see https://docs.microsoft.com/en-us/sql/reporting-services/security/configure-basic-authentication-on-t... ) Note: you should make sure you have HTTPS configured when using basic auth as the credentials are sent in clear text as part of the request.

 

The only issue then is that there is no "logout" button in the report portal, so the only way to "logout" is to close ALL browser windows. Closing just the current tab is not enough.

View solution in original post

Message 8 of 10
3,932 Views
9 REPLIES 9
gustavoandrade
Helper I
Helper I

‎09-15-2020 01:25 PM

I asked that same question a short time ago. On my intranet, I always ask for login to access the reports.

Until today I couldn't solve it.

See links:

 

https://community.powerbi.com/t5/Report-Server/Remove-authentication-prompt-when-accessing-report/m-...

 

https://github.com/microsoft/Reporting-Services/issues/186

 

Message 10 of 10
4,128 Views
0
d_gosbell
Super User
Super User

‎09-14-2020 09:30 PM

I'm pretty sure that the decision of whether to prompt for credentials is made by the client machine, by default if the url is detected as being in the Intranet or Trusted Sites zones (which you configure either using Group Policy or in the Internet Options on the client machines). If you configured the PBIRS url to be in the Intranet zone the browsers will no longer pass through the credentials. If you only require this as a once off another option is to try using an private/incognito window in your browser.

Message 3 of 10
4,161 Views
Abdelmajid
Helper I
Helper I
In response to d_gosbell

‎09-24-2020 12:47 PM

We have checked on making changes to the PBIRS URLs group policies, the URLs do already exist in a trusted zone and unfortunately we can't have them moved to the internet zone instead.

The only option I am looking into now is changing the settings at the IIS level to make sure every user is prompted to enter credentials before viewing any report on PBIRS. (The reason for this decision is that we have multiple associates from different levels sharing the same PC, and we need to prompt everyone) 

There seem to be a way through IIS, but I am still struggling finding a direct documentation or steps to accomplish that.

Really appreciate any help!

Message 5 of 10
3,971 Views
0
d_gosbell
Super User
Super User
In response to Abdelmajid

‎09-24-2020 03:54 PM
@Abdelmajid wrote:

The reason for this decision is that we have multiple associates from different levels sharing the same PC, and we need to prompt everyone

I don't think you should be trying to fix this at the PBIRS level. I think you should just get your associates to log out from windows when they finished with the shared PC's. That way when they want to access a report they log in to windows then just access PBIRS and the normal windows auth works. Then when they have finished they log out (they can leave the PC switch on to save the next person from having to boot up). 

 

That way everything they do on that PC is done using their login. So if you have any security or other issues you can directly trace this back to a specific user.

Message 6 of 10
3,961 Views
0
Abdelmajid
Helper I
Helper I
In response to d_gosbell

‎09-24-2020 06:10 PM

Thanks. Our case is a little different. We have many shared PCs at the stores and they are always ON using a generic kiosk account.

if users try to access the PBIRS url in the current scenario, the accesss uses the generic Kiosk as the login account to authenticate.

Since PBIRS is using the default Windows authentication and picking up the user from the machine, we have to somehow force the PBIRS url to ignore the PC credentials and just force every user to enter credentials when when getting the prompt box.

have done some research and seems doable using IIS, just don't have the proper documented steps for that.

Message 7 of 10
3,948 Views
0
FarhanAhmed
Community Champion
Community Champion
In response to Abdelmajid

‎09-24-2020 08:56 PM

In your case, you may also consider creating a browser shortcut for every user which will be running as "RunAs

 

runas /user:abc.xyz "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"

 







Did I answer your question? Mark my post as a solution! Appreciate your Kudos!!

Proud to be a Super User!




Message 9 of 10
3,920 Views
d_gosbell
Super User
Super User
In response to Abdelmajid

‎09-24-2020 07:30 PM

Yes, kiosk PCs are a slightly different use case. If you want EVERYONE that connects to PBIRS to be prompted then you could switch from using Windows auth to using Basic auth (see https://docs.microsoft.com/en-us/sql/reporting-services/security/configure-basic-authentication-on-t... ) Note: you should make sure you have HTTPS configured when using basic auth as the credentials are sent in clear text as part of the request.

 

The only issue then is that there is no "logout" button in the report portal, so the only way to "logout" is to close ALL browser windows. Closing just the current tab is not enough.

Message 8 of 10
3,933 Views
roger_that
Regular Visitor
In response to d_gosbell

‎09-24-2020 06:35 AM

I have configured our PBIRS server to use WindowsNTLM authentication, and users are sometimes asked for credentials, sometimes not (I haven't noticed a pattern yet).  Note: this is direct webpage access, not using PBI DesktopRS.  Since PBIRS is supposed to be connection-oriented, rather than session-oriented, shouldn't users be being prompted every time they first access the server for the day?  And where are their credentials being cached, so they don't have to enter them for every click they do within PBIRS? If it makes any difference, our "workstation" is usually an RDSH server, but it is possible to go directly from the Win10 workstations as well.

Thank you, Roger

 

Message 4 of 10
4,006 Views
0
Greg_Deckler
Super User
Super User

‎09-14-2020 06:54 PM

@Abdelmajid Maybe something in the config files? https://docs.microsoft.com/en-us/sql/reporting-services/security/configure-windows-authentication-on...

 

 


@ me in replies or I'll lose your thread!!!
Instead of a Kudo, please vote for this idea
Become an expert!: Enterprise DNA
External Tools: MSHGQM
YouTube Channel!: Microsoft Hates Greg
Latest book!: The Definitive Guide to Power Query (M)

DAX is easy, CALCULATE makes DAX hard...
Message 2 of 10
4,229 Views

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All