Earn a 50% discount on the DP-600 certification exam by completing the Fabric 30 Days to Learn It challenge.
We have setup SPN for the domain service account and that account is used to run gateway service. We have also done other required settings to add "Delegate to" for SAP HANA service SPN. Basically, we followed all the steps mentioned in the official documentation to setup SSO to data sources for OPDG.
However, when we check logs on HANA side, the user details logged show the username as domain service account and not the impersonated account of the user who is trying to access the report.
Has anyone seen this problem? Any pointers on what can be wrong here?
This is a topic on which Microsoft is providing surprisingly limited details. It seems people are going around and around for months at a time with no results. Is there a better guide out there than the microsoft documentation?
HI @hjoshi,
I'd like to suggest you take a look at below document which mentioned how to config sso for sap hana.
Use Kerberos for SSO (single sign-on) from Power BI to on-premises data sources
To enable Kerberos Constrained Delegation, the gateway must run as a domain account, unless your AAD is already synchronized with your local Active Directory (using AAD DirSync/Connect). For this account change to work correctly, you have two options:
If you started with a previous version of the On-premises data gateway, follow precisely all five steps in sequence (including running the gateway configurator in step 3) described in the following article:
Kerberos Constrained Delegation Overview
Regards,
Xiaoxin Sheng
We followed these rather cryptic instructions, did use a Domain Account since no instruction told us how to determine if we were using AAD DirSync/Connect. However, after impersonation we'd get the UPN='' using <setting name="ADUserNameReplacementProperty" serializeAs="String">
<value>sAMAccount</value>, when we changed it to <setting name="ADUserNameReplacementProperty" serializeAs="String">
<value>sAMAccountName</value> it seemed to at least impersonate the user as shown in the Logs as Domain\UserID.
Unfortunately, we now get a new error when trying to run those Direct Query reports on Hana from the Service, saying, "The import [TableName] matches no exports. Did you miss a module reference?"
Since we only selected the Hana View in Desktop, I have no idea what it missed internally or what module it might be refering to. But at least the error changed. I checked, and the .Net libraries are as specified, but Module might refer to .NET modules?