Find everything you need to get certified on Fabric—skills challenges, live sessions, exam prep, role guidance, and more. Get started
Hi,
We have an on premise PBIRS environment which is using the default windows authentication. Is there a way to give every user to be promoted to enter username and password?
Thanks.
Solved! Go to Solution.
Yes, kiosk PCs are a slightly different use case. If you want EVERYONE that connects to PBIRS to be prompted then you could switch from using Windows auth to using Basic auth (see https://docs.microsoft.com/en-us/sql/reporting-services/security/configure-basic-authentication-on-t... ) Note: you should make sure you have HTTPS configured when using basic auth as the credentials are sent in clear text as part of the request.
The only issue then is that there is no "logout" button in the report portal, so the only way to "logout" is to close ALL browser windows. Closing just the current tab is not enough.
I asked that same question a short time ago. On my intranet, I always ask for login to access the reports.
Until today I couldn't solve it.
See links:
https://github.com/microsoft/Reporting-Services/issues/186
I'm pretty sure that the decision of whether to prompt for credentials is made by the client machine, by default if the url is detected as being in the Intranet or Trusted Sites zones (which you configure either using Group Policy or in the Internet Options on the client machines). If you configured the PBIRS url to be in the Intranet zone the browsers will no longer pass through the credentials. If you only require this as a once off another option is to try using an private/incognito window in your browser.
We have checked on making changes to the PBIRS URLs group policies, the URLs do already exist in a trusted zone and unfortunately we can't have them moved to the internet zone instead.
The only option I am looking into now is changing the settings at the IIS level to make sure every user is prompted to enter credentials before viewing any report on PBIRS. (The reason for this decision is that we have multiple associates from different levels sharing the same PC, and we need to prompt everyone)
There seem to be a way through IIS, but I am still struggling finding a direct documentation or steps to accomplish that.
Really appreciate any help!
@Abdelmajid wrote:
The reason for this decision is that we have multiple associates from different levels sharing the same PC, and we need to prompt everyone
I don't think you should be trying to fix this at the PBIRS level. I think you should just get your associates to log out from windows when they finished with the shared PC's. That way when they want to access a report they log in to windows then just access PBIRS and the normal windows auth works. Then when they have finished they log out (they can leave the PC switch on to save the next person from having to boot up).
That way everything they do on that PC is done using their login. So if you have any security or other issues you can directly trace this back to a specific user.
Thanks. Our case is a little different. We have many shared PCs at the stores and they are always ON using a generic kiosk account.
if users try to access the PBIRS url in the current scenario, the accesss uses the generic Kiosk as the login account to authenticate.
Since PBIRS is using the default Windows authentication and picking up the user from the machine, we have to somehow force the PBIRS url to ignore the PC credentials and just force every user to enter credentials when when getting the prompt box.
have done some research and seems doable using IIS, just don't have the proper documented steps for that.
In your case, you may also consider creating a browser shortcut for every user which will be running as "RunAs"
runas /user:abc.xyz "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
Proud to be a Super User!
Yes, kiosk PCs are a slightly different use case. If you want EVERYONE that connects to PBIRS to be prompted then you could switch from using Windows auth to using Basic auth (see https://docs.microsoft.com/en-us/sql/reporting-services/security/configure-basic-authentication-on-t... ) Note: you should make sure you have HTTPS configured when using basic auth as the credentials are sent in clear text as part of the request.
The only issue then is that there is no "logout" button in the report portal, so the only way to "logout" is to close ALL browser windows. Closing just the current tab is not enough.
I have configured our PBIRS server to use WindowsNTLM authentication, and users are sometimes asked for credentials, sometimes not (I haven't noticed a pattern yet). Note: this is direct webpage access, not using PBI DesktopRS. Since PBIRS is supposed to be connection-oriented, rather than session-oriented, shouldn't users be being prompted every time they first access the server for the day? And where are their credentials being cached, so they don't have to enter them for every click they do within PBIRS? If it makes any difference, our "workstation" is usually an RDSH server, but it is possible to go directly from the Win10 workstations as well.
Thank you, Roger
@Abdelmajid Maybe something in the config files? https://docs.microsoft.com/en-us/sql/reporting-services/security/configure-windows-authentication-on...