Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
mbernasc
Regular Visitor

SAP BW SSO Kerberos uses "User logon name" instead of "User Logon name (pre-Windows 2000)

‎12-01-2020 08:31 AM

I configured the on-premises gateway for communication via SSO (Kerberos) to SAP BW according to Microsoft's instructions.
I log on to the O365 portal using oAuth and the user name <firstname>.<lastname>@domain.ch (In AD Tab "Account" the attibut "User Logon Name"). This username will be stored as owner of the dataset.

If I try to update the dataset via SSO over the gateway, I get the following error message in the SECTRACE:

 

InitializeSecurityContextA failed: Error 0x8009030E(No credentials are available in the security package). Preparation for kerberos failed!
Getting kerberos ticket for 'SAP/WI3' failed (user name is <firstname>.<lastname>@domain.ch)

 

However, Kerberos tickets are currently assigned to the "User Logon Name (pre-windows 2000)". This convention looks like this u<ascending number>

Does anyone have any idea how I can solve this problem?

Labels:
Message 1 of 3
972 Views
0
2 REPLIES 2
v-jingzhang
Community Support
Community Support

‎12-04-2020 01:09 AM

Hi @mbernasc 

 

The "User Logon Name (pre-windows 2000)" variant only supports 20 characters of username, so a username exceeding 20 characters from Power BI Service is a possible cause of this problem. You could seek help from the domain administrator to confirm is it possible to make the Kerberos tickets assigned to "User Logon Name"?

 

In addition, the gateway must map the Azure Active Directory UPN to a local Active Directory identity:

a. If Azure AD DirSync (also known as Azure AD Connect) is configured, then the mapping works automatically in the gateway.

b. Otherwise, the gateway can look up and map the Azure AD UPN to a local AD user by performing a lookup against the local Active Directory domain. 

Has the dataset owner's account mapped to a windows account correctly and this windows account has permissions on the local data source?

 

Message 2 of 3
914 Views
0
mbernasc
Regular Visitor
In response to v-jingzhang

‎12-04-2020 01:37 AM

Hi @v-jingzhang 

 

Thanks so far. 

 

The "User Logon Name (pre-windows 2000)" has just 7 characters. Azure AD Connect is configured and works well.
"You could seek help from the domain administrator to confirm is it possible to make the Kerberos tickets assigned to "User Logon Name"? -> This could be plan B, but to follow this way will take a long time.

 

"Has the dataset owner's account mapped to a windows account correctly and this windows account has permissions on the local data source?" Yes, the mapping works well but the problem is the following:
<firstname>.<lastname>@domain.ch corresponds to the User Principal Name from the Active Directory (Azure AD and local AD). Kerberos tickets can however only be solved with the samAccountName. In my case this is u<ascending number>@domain.ch.
I tried to solve the problem with the gateway attributes "ADUserNameReplacementProperty" and "ADUserNameLookupProperty". But this seems not to work or as I guess only with the Analysis Services. I tried to get a connection up and running with SAP BW. Are there any limitations?

Message 3 of 3
906 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All