Skip to main content
cancel
Showing results for 
Search instead for 
Did you mean: 

Earn the coveted Fabric Analytics Engineer certification. 100% off your exam for a limited time only!

Reply
ManxShred
Frequent Visitor

PBI RS Chrome Kerberos

Has anyone managed to get Kerberos to work with Power BI report server on Chome?

 

We have a PBI report deployed to our RS using a direct query to our tabular model.  I have setup all of the required SPN's, AD delegation settings and report server config is set to RSNegotiate.

When you open the report in IE, it works perfectly and returns data from the model.

When you open the same report in Chrome, it errors:

We couldn't connect to the Analysis Services server. The server forcibly closed the connection. To connect as the user viewing the report, your organization must have configured Kerberos constrained delegation.

 

According to https://docs.microsoft.com/en-us/sql/reporting-services/browser-support-for-reporting-services-and-p...,

 Chrome only supports "Negotiate, NTLM, Basic", while IE supports "Negotiate, Kerberos, NTLM, Basic", which I guess means MS has decided to not allow Kerberos through Chrome.

 

Has anyone got this working?

9 REPLIES 9
pbx
Helper V
Helper V

We do have Kerberos working with Chrome without any problems. Troubleshooting Kerberos sometimes could be difficult, so let's start with the basics first:

  1. You mentioned that authentication is set to RSNegotiate in server config. This should be RSWindowsNegotiate, could you please cofirm that?
  2. If that is set correctly, then you need to check the version of Chrome. The later versions of Chrome use IE settings for integrated Windows authentication, older versions required registry changes, but I have seen sometimes registry changes are also required for later versions of Chrome. We can get back to this later, but for now make sure you are using the latest version of Chrome.
  3. After connecting to the portal, please issue a klist from command line, do you get something like the following in the list?Client: yourusername @ domain.realm
    Server: HTTP/server.url @ domain.realm
ManxShred
Frequent Visitor

1.  Yes it is:

<AuthenticationTypes>
<RSWindowsNegotiate />
</AuthenticationTypes>

 

2. Latest version of public chrome, 63.0.3239.132.

 

3. Yes, I have an entry for the webserver in my KLIST.

I tried a few things with the kerberos tickets.  I purged the ticket cache, then opened the report via IE to see what tickets were opened.  This opened 3 tickets

#0 to the krbtgt using RSADSI RC4-HMAC(NT) encrytion

#1 to the krbtgt using AES-256-CTS-HMAC-SHA1-96 encryption

#2 to the HTTP/PBIRS using RSADSI RC4-HMAC(NT) encryption

 

when I do the same actions via chrome, it only opens 2 tickets:

#0 to the krbtgt using AES-256-CTS-HMAC-SHA1-96 encryption

#1 to the HTTP/PBIRS using RSADSI RC4-HMAC(NT) encryption

 

I'm not sure if that makes any difference?

What does the DNS record for your server looks like? Is it a CNAME or A record?
ManxShred
Frequent Visitor

The web server it is the server name, so is an A record.

The SSAS server is through a CNAME, however I did test using the server name directly as I already had the SPN's created for the base server with the same results, it works in IE and not in chrome.

Ok, let's see:
1- Are you using a mix of versions for Active Directory? Specially 2003 and 2012?
2- What exact error is recorded in log files?
3- Can you enable Kerberos logging on server and see the event logs?
4- Can you trace network on the server with Wireshark and catch authentication errors?
ManxShred
Frequent Visitor

Thanks for your help, I have got this working.

This had been configured using "Trust this computer for delegation to any service" rather than the specified services only.

 

We had to jump through some hoops, but once done this was enabled and Chrome now works.  It looks like IE and Edge were not really following the Kerberos rules as they allowed the delegation to happen when it wasn't setup correctly.

Anonymous
Not applicable

Hi, may I ask whether you changed the delegation setting from "Trust this computer for delegation to any service" to "Selected Service Only: Use any authentication protocol" or the other way around?

 

Thank you so much in advance.

 

Best,

The delegation needs to be configured on for specific services.  We had it configured as "trust all services" and changed to the specified services.

ManxShred
Frequent Visitor

Has anyone managed to get Kerberos to work with Power BI report server on Chome?

 

We have a PBI report deployed to our RS using a direct query to our tabular model.  I have setup all of the required SPN's, AD delegation settings and report server config is set to RSNegotiate.

When you open the report in IE, it works perfectly and returns data from the model.

When you open the same report in Chrome, it errors:

We couldn't connect to the Analysis Services server. The server forcibly closed the connection. To connect as the user viewing the report, your organization must have configured Kerberos constrained delegation.

 

According to https://docs.microsoft.com/en-us/sql/reporting-services/browser-support-for-reporting-services-and-p...,

 Chrome only supports "Negotiate, NTLM, Basic", while IE supports "Negotiate, Kerberos, NTLM, Basic", which I guess means MS has decided to not allow Kerberos through Chrome.

 

Has anyone got this working?

Helpful resources

Announcements
April AMA free

Microsoft Fabric AMA Livestream

Join us Tuesday, April 09, 9:00 – 10:00 AM PST for a live, expert-led Q&A session on all things Microsoft Fabric!

March Fabric Community Update

Fabric Community Update - March 2024

Find out what's new and trending in the Fabric Community.

Top Solution Authors