cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
WallyCode
Frequent Visitor

On-Premise Gateway bypassing Corporate Proxy during registration

I'm trying to set up a new On-Premise Gateway as part of a server migration to a new data center.  I got the test server up and running with no issues but firewall security is much tighter on the production server and I can't get past the Registration step.

WallyCode_0-1633039516426.png

I've been reading about this for days now...and running WireShark to capture packets.  Apparently the Registration wants to communicate directly with an Azuer login via Port 80...which is totally bypassing the corporate proxy.  So then I changed the On-Premise Service to use a domain service account vs the default and gave that login admin privleges on the server and set the user to use the proxy via IE - Lan Settings.  I'm no longer seeing any direct communication so I'm guessing it's using the proxy now but I'm still getting the above message.

 

I'm using the latest version (3000.96.1).  We have a premium license.  I'm using the same email account as two other working Gateway's.  I'm the admin.  OS is Server 2019.  Both Test and Prod use the same proxy.  Has anyone dealt with a similar issue?  Suggestions?

 

I found the folling in the logs if this helps:

EnterpriseGatewayConfigurator.exe Information: 0 : (False) MSAL 4.27.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [09/30/2021 22:14:25 - ]
EnterpriseGatewayConfigurator.exe Error: 0 : (False) MSAL 4.27.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [09/30/2021 22:14:25 - ] Exception type: Microsoft.Identity.Client.MsalClientException
, ErrorCode: authentication_ui_failed

at Microsoft.Identity.Client.Platforms.net45.WindowsFormsWebAuthenticationDialog.ShowBrowser()
at Microsoft.Identity.Client.Platforms.net45.WindowsFormsWebAuthenticationDialog.OnAuthenticate()
at Microsoft.Identity.Client.Platforms.net45.WindowsFormsWebAuthenticationDialogBase.AuthenticateAAD(Uri requestUri, Uri callbackUri)
at Microsoft.Identity.Client.Platforms.net45.InteractiveWebUI.OnAuthenticate()
at Microsoft.Identity.Client.Platforms.net45.WebUI.<>c__DisplayClass20_0.<AcquireAuthorizationAsync>b__0()
at System.Threading.Tasks.Task.Execute()
EnterpriseGatewayConfigurator.exe Error: 0 : (False) MSAL 4.27.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [09/30/2021 22:14:25 - ] Exception type: Microsoft.Identity.Client.MsalClientException
, ErrorCode: authentication_ui_failed

at Microsoft.Identity.Client.Platforms.net45.WebUI.<AcquireAuthorizationAsync>d__20.MoveNext()

 

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__13.MoveNext()
EnterpriseGatewayConfigurator.exe Error: 0 : Error authenticating user: The browser based authentication dialog failed to complete for an unknown reason. StatusCode: 200.
EnterpriseGatewayConfigurator.exe Error: 0 : Exception details: MSAL.Desktop.4.27.0.0.MsalClientException:
ErrorCode: authentication_ui_failed
Microsoft.Identity.Client.MsalClientException: The browser based authentication dialog failed to complete for an unknown reason. StatusCode: 200
at Microsoft.Identity.Client.Platforms.net45.WebUI.<AcquireAuthorizationAsync>d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---

1 ACCEPTED SOLUTION

lbendlin Thank you for your responses!  Your steps are rock solid and will be very helpfull to people reading this.  But if it still doesn't work???  Our security team had disabled PKCS on the server.  Once we enabled that again...worked perfectly.

View solution in original post

8 REPLIES 8
lbendlin
Super User
Super User

If your environment requires proxies then you need to modify three files in your gateway installation

 

C:\Program Files\On-premises data gateway\enterprisegatewayconfigurator.exe.config 

C:\Program Files\On-premises data gateway\Microsoft.PowerBI.EnterpriseGateway.exe.config 

 

<system.net> 

    <defaultProxy useDefaultCredentials="true"> 

        <proxy  proxyaddress="http://yourproxy:yourport"  bypassonlocal="true"  />   

    </defaultProxy> 

  </system.net> 

 

If your gateway serves mixed datasets that include an online sharepoint data source you also need to modify the contents of 

C:\Program Files\On-premises data gateway\m\Microsoft.Mashup.Container.NetFX45.exe.config 

to include the same setting inside the <configuration> tag.

 

There is documentation here Configure proxy settings for the on-premises data gateway | Microsoft Docs but it is outdated, inaccurate, and pretty much useless.

 

I shared my "Lessons learned from managing enterprise gateway cluster"  here a while back. It's not pretty.

Thanks for the response!

 

I did see several documents talking about using proxy's including the one you linked.  I've set my config files as follows and still no luck.  I've also uninstalled and started over.  

WallyCode_0-1633115758545.png

One document that I found interesting was this one...

https://blog.azureinfra.com/2017/03/06/powerbi-gateway-and-proxies/

 

I partially installed the gateway on my laptop (wich does not use a proxy) this morning and ran wireshark.  All OB traffic was on port 443.  But the default install on the server with a proxy tried to use port 80. Then when I switched to a domain svc account the port 80 traffic dissapeared but still can't get to the next step.

 

I'm sure something is blocked on the server but I can't figure out what I'm missing so can't request for it to be opened.  I know OB 443 is open.

We have dozens of gateway clusters running with the setting I shared. I would call it "battle hardened"  as it took us a long time and quite a few Pro tickets to get there.

 

Deinstall the gateway, reinstall it using the default settings. Then apply the proxy settings.  Then restart the service. Then login to register the gateway.  I guarantee that will work*.

 

*) on a Windows Server 2019 VM, assuming you have also added all the Trusted Sites.  On a Windows Server 2012 VM there are about 15 other steps that you need to take to make it work.

lbendlin Thank you for your responses!  Your steps are rock solid and will be very helpfull to people reading this.  But if it still doesn't work???  Our security team had disabled PKCS on the server.  Once we enabled that again...worked perfectly.

What reason did your security team give for disabling PKCS? Do they consider it a weak cipher?

They didn't give one.  I work for a very large corp and I don't actually know any of them.  We got one on the phone to help troubleshoot and after a bit he asked his team if they had any ideas.  An hour later he said he turned PKCS on and rebooted.  Once it came back up...I was able to register the Gateway.  That's all the info I was given. 

They have everything locked down by default and we have to request exceptions from the Risk team.  One of the symptoms was we were unable to browse the web on IE but could on Chrome.

Since both Test and Production servers (both 2019 VM's) use the exact same proxy and the fact that Test is working perfectly.  I'm going to "assume" the Trusted Sites have been added to the Proxy.  I have not searched for that list nor do I have access to any of the proxy settings.  I'd have to put in a ticket to get someone from the proxy team to talk to me.

But I doubt I'll get any traction today so I'll definately try another uninstall and reinstall.

Helpful resources

Announcements
Carousel_PBI_Wave1

2023 Release Wave 1 Plans

Power BI release plans for 2023 release wave 1 describes all new features releasing from April 2023 through September 2023.

Power BI Summit Carousel 2

Global Power BI Training

Make sure you register today for the Power BI Summit 2023. Don't miss all of the great sessions and speakers!

Thank you 2022 Review

2022 Monthly Feature Releases

We had a great 2022 with a ton of feature releases to help you drive a data culture.

Top Solution Authors
Top Kudoed Authors