Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.
Hi all
The security group named ‘PBIGroup’ have crteated already in domain environment, while add the ‘PBIGroup’ to the RLS on Web site , there is no error in current page , but go to report page, the error "This visual contains restricted data.See details" occured for every visuals. while add individual user account to this rls box, the report page works well.
i refer to the link Row-level security (RLS) in Power BI Report Server - Power BI | Microsoft Docs.
there is a limit like below, but there is no other details or configuration guidance to describe the "NTLM or Kerberos authentication"
so how can i make the security group work for the RLS of Power BI Report Server, there is other steps is missing?
the document link Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs is the right one to solve this group rls issue ?
note: the data source is SQL Server
any suggestions is welcome , thank you for your help!
Best Regards
Amy
Solved! Go to Solution.
hi all,
this issue has been solved. to make the security group works in RLS of Power BI Report Server, just to follow 2 steps , which refer to the document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs :
1.go to C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServer, find rsreportserver.config file, add RSWindowsNegotiate to Authentication/AuthenticationTypes section of this file.
like this :
<AuthenticationTypes>
<RSWindowsNegotiate/>
<RSWindowsNTLM/>
</AuthenticationTypes>
stop and start the report server to make sure the changes take effect
2. go to "Active Directory Users and Computers", which domain admin know where it is.
Right click on the report server service account and select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only.
Select Use any authentication protocol.
Under the Services to which this account can present delegated credentials: select Add.
In the new dialog, select Users or Computers.
Enter the service account for the SQL Server service and select Ok.
Select the SQL Server service' SPN ( It will begin with MSSQLSvc.3).
Select OK. You should see the SPN in the list now.
stop and start the Power BI Report Server.
in this document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs, it takes data source "SQL Server Analysis Services" (which links to Analysis Services) as a example to configurate Kerberos for Power bi report server. so the steps maybe complex, and i haven't test it for data source "SQL Server Analysis Services".
while in my situation, the data source is SQL Server, find no needs to configurate for the SPN of SQL Server service and SQL Browser service, just follow steps like above. thanks.
hi all,
this issue has been solved. to make the security group works in RLS of Power BI Report Server, just to follow 2 steps , which refer to the document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs :
1.go to C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServer, find rsreportserver.config file, add RSWindowsNegotiate to Authentication/AuthenticationTypes section of this file.
like this :
<AuthenticationTypes>
<RSWindowsNegotiate/>
<RSWindowsNTLM/>
</AuthenticationTypes>
stop and start the report server to make sure the changes take effect
2. go to "Active Directory Users and Computers", which domain admin know where it is.
Right click on the report server service account and select Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only.
Select Use any authentication protocol.
Under the Services to which this account can present delegated credentials: select Add.
In the new dialog, select Users or Computers.
Enter the service account for the SQL Server service and select Ok.
Select the SQL Server service' SPN ( It will begin with MSSQLSvc.3).
Select OK. You should see the SPN in the list now.
stop and start the Power BI Report Server.
in this document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs, it takes data source "SQL Server Analysis Services" (which links to Analysis Services) as a example to configurate Kerberos for Power bi report server. so the steps maybe complex, and i haven't test it for data source "SQL Server Analysis Services".
while in my situation, the data source is SQL Server, find no needs to configurate for the SPN of SQL Server service and SQL Browser service, just follow steps like above. thanks.
Hi @Meng ,
Has your problem been solved, if so, please consider Accept a correct reply as the solution or share your own solution to help others find it.
Best Regards
Lucien
Hi @Meng ,
The format that your report uses locally to configure permissions is DOMAIN\User or user@contoso.com ?
According the article you provided, it mentioned:
Within Power BI Desktop, username() returns a user in the format of DOMAIN\User and userprincipalname() returns a user in the format of user@contoso.com.
Within Power BI Report Server, username() and userprincipalname() both return the user's User Principal Name (UPN), which is similar to an email address.
If you're using custom authentication in Power BI Report Server, it returns the username format you’ve set up for users.
And about NTLM or Kerberos authentication,you could refer the following article:
Configure Kerberos to use Power BI reports
Did I answer your question? Mark my post as a solution!
Best Regards
Lucien
The username it not resolving correctly as defined in the RLS table that you had created.
Try create measure
_user = USERPRINCIPALNAME()
and see that the names in RLS table and this measures matched.
Proud to be a Super User!
Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City
Check out the April 2024 Power BI update to learn about new features.
User | Count |
---|---|
15 | |
7 | |
5 | |
3 | |
3 |