Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.

Reply
hjoshi
New Member

Not working: SAP HANA SSO with OPDG

‎04-25-2018 03:57 AM

We have setup SPN for the domain service account and that account is used to run gateway service. We have also done other required settings to add "Delegate to" for SAP HANA service SPN. Basically, we followed all the steps mentioned in the official documentation to setup SSO to data sources for OPDG.

 

However, when we check logs on HANA side, the user details logged show the username as domain service account and not the impersonated account of the user who is trying to access the report.

 

Has anyone seen this problem? Any pointers on what can be wrong here?

Message 1 of 4
879 Views
0
3 REPLIES 3
joel_gibby_csc
Helper II
Helper II

‎11-19-2020 10:19 AM

This is a topic on which Microsoft is providing surprisingly limited details. It seems people are going around and around for months at a time with no results. Is there a better guide out there than the microsoft documentation?

 

 

Message 4 of 4
395 Views
0
v-shex-msft
Community Support
Community Support

‎04-25-2018 07:56 PM

HI @hjoshi,

 

I'd like to suggest you take a look at below document which mentioned how to config sso for sap hana.

 

Use Kerberos for SSO (single sign-on) from Power BI to on-premises data sources

 

To enable Kerberos Constrained Delegation, the gateway must run as a domain account, unless your AAD is already synchronized with your local Active Directory (using AAD DirSync/Connect). For this account change to work correctly, you have two options:

  • If you started with a previous version of the On-premises data gateway, follow precisely all five steps in sequence (including running the gateway configurator in step 3) described in the following article:

    • Changing the gateway service account to a domain user
    • If you already installed the Preview version of the On-premises data gateway, there is a new UI-guided approach to switch service accounts directly from within the gateway’s configurator. See the Switching the gateway to a domain account section near the end of this article.

 

Kerberos Constrained Delegation Overview

 

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.
Message 2 of 4
850 Views
0
pcgeekus
Helper I
Helper I
In response to v-shex-msft

‎09-12-2018 03:46 PM

We followed these rather cryptic instructions, did use a Domain Account since no instruction told us how to determine if we were using AAD DirSync/Connect. However, after impersonation we'd get the UPN='' using <setting name="ADUserNameReplacementProperty" serializeAs="String">
<value>sAMAccount</value>, when we changed it to <setting name="ADUserNameReplacementProperty" serializeAs="String">
<value>sAMAccountName</value> it seemed to at least impersonate the user as shown in the Logs as Domain\UserID.

Unfortunately, we now get a new error when trying to run those Direct Query reports on Hana from the Service, saying, "The import [TableName] matches no exports. Did you miss a module reference?"

   Since we only selected the Hana View in Desktop, I have no idea what it missed internally or what module it might be refering to. But at least the error changed. I checked, and the .Net libraries are as specified, but Module might refer to .NET modules?

Message 3 of 4
743 Views
0

Helpful resources

Announcements
PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All