Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Register now to learn Fabric in free live sessions led by the best Microsoft experts. From Apr 16 to May 9, in English and Spanish.

Reply
tomejek
Regular Visitor

SAP Hana SSO in multi domain environment

‎11-08-2018 02:42 AM

Hello guys,

 

I'm trying to setup SSO on SAP Hana datasource. I'm running out of ideas, any help would be appreciated 🙂

 

In my organization we got parent-child AD environment, lets name these domains 'ParentDomain' and 'Child1Domain'. My organizational account is in Child1Domain.

 

At the moment I got following configuration:

Service account with configured constrained delegation (any protocol) which runs Gateway - ParentDomain/ServiceAccount

While invoking report i get 

Microsoft.PowerBI.DataMovement.Pipeline.Diagnostics.FailedToImpersonateUserException: Failed to impersonate user <pi>MyAccount@Child1Domain</pi>; ErrorShortName: FailedToImpersonateUserException/FailedToImpersonateUserException/SecurityException

 

Below there is also:

Microsoft.PowerBI.DataMovement.Pipeline.Diagnostics.FailedToImpersonateUserException: Failed to impersonate user UserId

 

 

I used to have different configuration which was failing few steps later, in delegation process. Impersonation worked just fine.

Service account with unconstrained delegation (any services) - Child1Domain/ServiceAccount

When invoking the report i was getting

[SAP AG][LIBODBCHDB DLL][HDBODBC] Communication link failure;-10709 Connection failed (RTE:[-1] Kerberos error. Major: "Miscellaneous failure [851968]", minor: "No credentials are available in the security package

 

 

Is it possible to configure my multi domain environment so that it works for users in child domains while service account in in parent domain?

I suspect that my current configuration fails because services account tries to impersonate my account in parent domain instead of child domain/entire directory. I don't know if there is any way of configuring that. Strange thing is that when I changed

"ADUserNameLookupProperty" and "ADUserNameReplacementProperty" properties gateway correctly replaced my UPN, so it finds my account in AD. 

 

Does anyone knows what am i doing wrong/how to configure it properly?

Labels:
Message 1 of 3
932 Views
0
2 REPLIES 2
v-yulgu-msft
Employee
Employee

‎11-11-2018 10:56 PM

Hi @tomejek,

 

As I was not able to reproduce your scenario on my current environment, you could create a support ticket here for further analysis.

 

Regards,

Yuliana Gu

Community Support Team _ Yuliana Gu
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Message 2 of 3
926 Views
0
tomejek
Regular Visitor
In response to v-yulgu-msft

‎11-13-2018 05:17 AM

Hi @v-yulgu-msft,

 

I've already submitted ticket about week ago. I just thought someone from community tackled similar issue before and could share his thoughts on the problem.

 

BR,

Tomasz

Message 3 of 3
918 Views
0

Helpful resources

Announcements
Microsoft Fabric Learn Together

Microsoft Fabric Learn Together

Covering the world! 9:00-10:30 AM Sydney, 4:00-5:30 PM CET (Paris/Berlin), 7:00-8:30 PM Mexico City

PBI_APRIL_CAROUSEL1

Power BI Monthly Update - April 2024

Check out the April 2024 Power BI update to learn about new features.

April Fabric Community Update

Fabric Community Update - April 2024

Find out what's new and trending in the Fabric Community.

View All
Top Solution Authors
View All
Top Kudoed Authors
View All