Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
Meng
Frequent Visitor

when add Domain's security group to RLS of Power BI Report Server , error occured in report page

‎04-11-2022 02:25 AM

Hi all

 

The security group named ‘PBIGroup’ have crteated already in domain environment, while add the ‘PBIGroup’ to the RLS on Web site , there is no error in current page , but go to report page, the error "This visual contains restricted data.See details" occured for every visuals.  while add individual user account to this rls box, the report page works well.

Meng_0-1649740618837.png

 

 

Meng_1-1649668235239.png

 

i refer to the link Row-level security (RLS) in Power BI Report Server - Power BI | Microsoft Docs.

there is a limit like below, but there is no other details or configuration guidance to describe the "NTLM or Kerberos authentication"

Meng_3-1649668442267.png

so how can i make the security group work for the RLS of Power BI Report Server, there is other steps is missing?

 

the document link Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs is the right one to solve this group rls issue ?

 

note: the data source is SQL Server 

 

any suggestions is welcome , thank you for your help!

 

Best Regards

Amy

Labels:
Message 1 of 5
824 Views
0
1 ACCEPTED SOLUTION
Meng
Frequent Visitor

‎04-25-2022 07:19 PM

hi all,

 

this issue has been solved.  to make the security group works in RLS of Power BI Report Server, just to follow 2 steps , which refer to the document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs :

 

1.go to C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServer, find  rsreportserver.config file, add RSWindowsNegotiate to  Authentication/AuthenticationTypes section of this file.

like this :

<AuthenticationTypes>
   <RSWindowsNegotiate/>
   <RSWindowsNTLM/>
</AuthenticationTypes>

 

stop and start the report server to make sure the changes take effect

 

2. go to "Active Directory Users and Computers", which domain admin know where it is.

  •  choose item "Computer", choose the machine account (a server , which power bi report server installed on), 

  • Right click on the report server service account and select Properties.

  • Select the Delegation tab.

  • Select Trust this computer for delegation to specified services only.

  • Select Use any authentication protocol.

  • Under the Services to which this account can present delegated credentials: select Add.

  • In the new dialog, select Users or Computers.

  • Enter the service account for the SQL Server service and select Ok.

  • Select the SQL Server service' SPN ( It will begin with MSSQLSvc.3). 

  • Select OK. You should see the SPN in the list now.

  •  Select Ok.

  • stop and start the Power BI Report Server.

 

in this document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs, it takes data source "SQL Server Analysis Services" (which links to Analysis Services) as a example to configurate Kerberos for Power bi report server. so the steps maybe complex, and i haven't test it for data source "SQL Server Analysis Services".

 

while in my situation, the data source is SQL Server, find no needs to configurate for the SPN of SQL Server service and SQL Browser service, just follow steps like above. thanks.

 

View solution in original post

Message 5 of 5
599 Views
4 REPLIES 4
Meng
Frequent Visitor

‎04-25-2022 07:19 PM

hi all,

 

this issue has been solved.  to make the security group works in RLS of Power BI Report Server, just to follow 2 steps , which refer to the document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs :

 

1.go to C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServer, find  rsreportserver.config file, add RSWindowsNegotiate to  Authentication/AuthenticationTypes section of this file.

like this :

<AuthenticationTypes>
   <RSWindowsNegotiate/>
   <RSWindowsNTLM/>
</AuthenticationTypes>

 

stop and start the report server to make sure the changes take effect

 

2. go to "Active Directory Users and Computers", which domain admin know where it is.

  •  choose item "Computer", choose the machine account (a server , which power bi report server installed on), 

  • Right click on the report server service account and select Properties.

  • Select the Delegation tab.

  • Select Trust this computer for delegation to specified services only.

  • Select Use any authentication protocol.

  • Under the Services to which this account can present delegated credentials: select Add.

  • In the new dialog, select Users or Computers.

  • Enter the service account for the SQL Server service and select Ok.

  • Select the SQL Server service' SPN ( It will begin with MSSQLSvc.3). 

  • Select OK. You should see the SPN in the list now.

  •  Select Ok.

  • stop and start the Power BI Report Server.

 

in this document Configure Kerberos to use Power BI reports - Power BI | Microsoft Docs, it takes data source "SQL Server Analysis Services" (which links to Analysis Services) as a example to configurate Kerberos for Power bi report server. so the steps maybe complex, and i haven't test it for data source "SQL Server Analysis Services".

 

while in my situation, the data source is SQL Server, find no needs to configurate for the SPN of SQL Server service and SQL Browser service, just follow steps like above. thanks.

 

Message 5 of 5
600 Views
v-luwang-msft
Community Support
Community Support

‎04-19-2022 07:46 PM

Hi @Meng ,

Has your problem been solved, if so, please consider Accept a correct reply as the solution or share your own solution to help others find it.

Best Regards
Lucien

Message 4 of 5
653 Views
0
v-luwang-msft
Community Support
Community Support

‎04-15-2022 01:00 AM

Hi @Meng ,

The format that your report uses locally to configure permissions is DOMAIN\User or user@contoso.com ?

According the article you provided, it mentioned:

Within Power BI Desktop, username() returns a user in the format of DOMAIN\User and userprincipalname() returns a user in the format of user@contoso.com.

Within Power BI Report Server, username() and userprincipalname() both return the user's User Principal Name (UPN), which is similar to an email address.

If you're using custom authentication in Power BI Report Server, it returns the username format you’ve set up for users.

 

And about NTLM or Kerberos authentication,you could refer the following article:

Configure Kerberos to use Power BI reports

 

Did I answer your question? Mark my post as a solution!

 


Best Regards

Lucien

 

Message 3 of 5
710 Views
0
FarhanAhmed
Community Champion
Community Champion

‎04-13-2022 01:45 AM

The username it not resolving correctly as defined in the RLS table that you had created.

 

Try create measure  

_user = USERPRINCIPALNAME()

 

and see that the names in RLS table and this measures matched.







Did I answer your question? Mark my post as a solution! Appreciate your Kudos!!

Proud to be a Super User!




Message 2 of 5
748 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All