Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
dbeavon3
Continued Contributor
Continued Contributor

Power bi service connect to ssas with sso

‎03-24-2019 05:24 PM
I've been able to set up service gateway to connect to ssas md on prem. It seemed easy at first glance but don't like two things. 1) requires entering ssas md server admin credentials to allow users to connect via 'effective user' spoofing , 2) the user mapping strategy for 'effective user' seems fragile and error prone.


I see that there are some other power-bi-service data-sources that will allow sso, via Kerberos kcd. And I see that on-prem power-bi-report-server also supports Kerberos kcd for ssas. Any plans to allow bi service to authorize users to ssas md, by using Kerberos kcd?
Labels:
Message 1 of 5
1,543 Views
0
4 REPLIES 4
GilbertQ
Super User
Super User

‎03-24-2019 09:48 PM
Hi there

Yes it can be a challenge to potentially map the users through to your MD model.

With that being said I have not had an issues once they have been mapped through and it has worked.

As far as I am aware there is nothing in the pipeline for SSO for MD.

There is quite possibly an idea that you could vote on at https://ideas.powerbi.com




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 2 of 5
1,530 Views
0
dbeavon3
Continued Contributor
Continued Contributor
In response to GilbertQ

‎03-25-2019 07:03 AM

Just to be clear, I found the following link that says SQL Server *is* supported for Kerberos constrained delegation:

https://docs.microsoft.com/en-us/power-bi/service-gateway-sso-kerberos

 

... but it sounds like you are telling me that doesn't refer to SSAS MD, but is only referring to the SQL relational database?  Am I getting that right?

 

Why was SSAS MD excluded from this feature?  We've been using Kerberos delegation to query our OLAP MD cubes for many, many years (eg. from Excel Services in Sharepoint).  I would have thought this would be just as easy to support this feature for SSAS MD as it is for the SQL relational database.

 

I'm not crazy about the requirement of sharing the SSAS Server Admin credentials out to people who are developing Power BI reports and dashboards.   If they don't need it to create an Excel workbook, they shouldn't need it to create a Power BI report.  

 

I am new to Power BI.  Is this going to be a regular theme?  Will it typically require granting super-user credentials to any data sources that are used?  So far I've only played with connecting to SSAS MD via the gateway.

 

 

Message 3 of 5
1,517 Views
0
GilbertQ
Super User
Super User
In response to dbeavon3

‎03-25-2019 03:00 PM
Hi there

You have to remember that in order to connect to an SSAS Instance be that MD or Tabular it has to first authenticate with an Admin Account.

After this it does use the Impersonation which has been running like this for many years.
When configuring the data source in the gateway this should be secured for only people with the correct permissions to setup the data source via the Gateway. And in my opinion this is secure.

With regards to SSAS MD due to it being an older technology it was not built for the cloud, so these things can take longer, or there is possibly a different priority from Microsoft it would seem.




Did I answer your question? Mark my post as a solution!

Proud to be a Super User!







Power BI Blog

Message 4 of 5
1,499 Views
0
dbeavon3
Continued Contributor
Continued Contributor
In response to GilbertQ

‎03-25-2019 03:46 PM

>> You have to remember that in order to connect to an SSAS Instance be that MD or Tabular it has to first authenticate with an Admin Account.

 

I remember this very well and it is my main complaint.  A team responsible for building reports shouldn't have to have the server-admin credentials to the entire SSAS instance.  That seems totally silly, considering that the BI reports themselves don't require that level of authorization.  

 

Now that other data sources are capable of using normal Kerberos KCD, it is unfortunate that SSAS MD is left out in the cold.

 

I will test the "effective user" behavior and see if it will work for us in our environment.   After reading over the available docs, they don't make me very optimistic (ie. UPN's needing to match email addresses, user-mapping needs to be done manually in some cases, etc).  

 

>> With regards to SSAS MD due to it being an older technology it was not built for the cloud,

 

OK, let me ask what is older SQL relational databases, or SQL analysis services?  Both of these are very mature and if they are supporting SSO with with SQL relational databases, they should do it with SSAS MD too.  We've been using Kerberos KCD on-prem with SSAS for many years.  It seems unfortunate that Microsoft wouldn't get the Power BI service to do Kerberos KCD with SSAS, the same as they do for SQL relational databases. 

 

 

Message 5 of 5
1,493 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All