topic Re: Parsing WS-Trust Power BI embedded in Developer

Parsing WS-Trust Power BI embedded

Juramirez — Fri, 16 Feb 2018 00:47:10 GMT

Hi all

I'm having a problem when embedding a report, the following excepction appears:

parsing_wstrust_response_failed: Parsing WS-Trust response failed

What could it be?

Regards

Re: Parsing WS-Trust Power BI embedded

v-ljerr-msft — Mon, 19 Feb 2018 08:38:12 GMT

Hi @Juramirez,

Could you do some debugging on your application to find out which code you're using is throwing this error, and post the code here? So that we can better assist on this issue.

Regards

Re: Parsing WS-Trust Power BI embedded

Juramirez — Mon, 19 Feb 2018 22:44:03 GMT

Hi @v-ljerr-msft

Thanks for reply. This is the code that is giving me the exception:

var authenticationResult = await authenticationContext.AcquireTokenAsync("https://analysis.windows.net/powerbi/api", "CLIENT ID FROM AZURE", credential);

It works inside a development server but in a production server it marks the exception. How can I solve it? Why is it happening?

Regards

Re: Parsing WS-Trust Power BI embedded

Juramirez — Fri, 02 Mar 2018 17:42:52 GMT

Hi @v-ljerr-msft. Any update about this? Still facing this problem :S

Regards

Re: Parsing WS-Trust Power BI embedded

orygreg — Sun, 15 Apr 2018 17:31:31 GMT

Hi @Juramirez,

Did you ever get this resolved? I'm facing exact same issue.

The only way I've gotten the embedding to "work" is to use an older version of the "Microsoft.IdentityModel.Clients.ActiveDirectory" NuGet package - one WITHOUT the AcquireTokenAsync() call, it just has AcquireToken(). But this brings up the credentials prompt.

Thanks,

Greg

Re: Parsing WS-Trust Power BI embedded

orygreg — Sun, 15 Apr 2018 17:36:51 GMT

Hi @Juramirez,

Have you found a solution to this yet? I'm facing the same exact issue.

The only way I could get the embedding to "work" was use an older version of "Microsoft.IdentityModel.Clients.ActiveDirectory", which uses AcquireToken() instead of AcquireTokenAsync() - but the user is prompted for credentials since they can't be passed (or, I have figured out how to pass them).

Thanks,

Greg

Re: Parsing WS-Trust Power BI embedded

orygreg — Mon, 16 Apr 2018 18:00:52 GMT

Hi @Juramirez,

Did you ever get this working? I have similar problem - except my error on the "AcquireTokenAsync" call is: "Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException: parsing_wstrust_response_failed: Parsing WS-Trust response failed".

I can make it work, sort of, if: 1) I revert to a much older install of "Microsoft.IdentityModel.Clients.ActiveDirectory" (one WITHOUT the Async method), and 2) I use AcquireToken (not AcquireTokenAsync). Of course, then I get prompted for credentials.

Thanks,

Greg

Re: Parsing WS-Trust Power BI embedded

Anonymous — Thu, 12 Jul 2018 06:20:02 GMT

Any update on this please? Sitting with the same problem...

Re: Parsing WS-Trust Power BI embedded

annafsh — Sat, 21 Jul 2018 00:12:34 GMT

Hello, we are facing the same issue. Any update?

Re: Parsing WS-Trust Power BI embedded

annafsh — Sat, 21 Jul 2018 00:16:13 GMT

Hello, we are facing the same issue. Any update?

Re: Parsing WS-Trust Power BI embedded

Anonymous — Mon, 23 Jul 2018 08:48:45 GMT

DId an nslookup on analysis.windows.net.... No answer. Strange, this is...

Re: Parsing WS-Trust Power BI embedded

annafsh — Thu, 26 Jul 2018 22:15:18 GMT

In our case, ADFS was blocked for passive authentication requests from outside the network.

Try to enable ADAL logging to check where the error comes from.

Re: Parsing WS-Trust Power BI embedded

Anonymous — Mon, 30 Jul 2018 06:26:33 GMT

Seems you're right. Busy troubleshooting with MS and it seems to be related to ADFS. They also suggested direct authentication. More updates to follow...

Re: Parsing WS-Trust Power BI embedded

dudess — Tue, 31 Jul 2018 12:17:13 GMT

@Anonymous, Can you please update how this issue is being addressed? applying HRD policy is not an option our security guys are entertaining.

Re: Parsing WS-Trust Power BI embedded

Anonymous — Tue, 31 Jul 2018 12:22:29 GMT

The sample I'm using is using Resource owner password credentials flow for authentication. With this authentication flow, my application just sends the username and password to Azure AD. However, Azure AD using WS-Trust with ADFS to send username or password. However the ROPC has some limitations and it may not work for this federated user accounts.

Microsoft suggests this:

You can try to use Direct Authentication for federated user accounts if you cannot use WS-trust.

Azure AD has turned off the ability (by default) for customers to utilize the legacy-based authentication method of Direct Authentication for federated user accounts.

Direct Authentication for federated user accounts is the means of utilizing an Azure AD stored Password Hash to authenticate a federated user directly with Azure AD and retrieving a token from us without being sent to the Identity Provider for the account. As you probably have noticed, this ‘feature’ isn’t the best from a security perspective.

There is a way to turn this back on for the customer but we recommend you only do so on a per-app basis since the nature of this change will open the customer up to legacy authentication mechanisms for their entire tenant. The script supplied to customers who have one (1) application to turn this on with is as follows:

Enable both of Password hash synchronization and Federation with ADFS in Azure AD Connect sync.

Install the Azure AD Preview PowerShell Module.

Run the following line-by-line (making sure the variable $sp doesn’t have more than 1 application as a result)

Connect-AzureAD

$sp = Get-AzureADServicePrincipal -SearchString "Name_Of_Application"

$policy = New-AzureADPolicy -Definition @("{`"HomeRealmDiscoveryPolicy`":{`"AllowCloudPasswordValidation`":true}}") -DisplayName EnableDirectAuth -Type HomeRealmDiscoveryPolicy -IsOrganizationDefault $false

Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id

HTH!