March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early bird discount ends December 31.
Register NowBe one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now
I'm trying to set up a new On-Premise Gateway as part of a server migration to a new data center. I got the test server up and running with no issues but firewall security is much tighter on the production server and I can't get past the Registration step.
I've been reading about this for days now...and running WireShark to capture packets. Apparently the Registration wants to communicate directly with an Azuer login via Port 80...which is totally bypassing the corporate proxy. So then I changed the On-Premise Service to use a domain service account vs the default and gave that login admin privleges on the server and set the user to use the proxy via IE - Lan Settings. I'm no longer seeing any direct communication so I'm guessing it's using the proxy now but I'm still getting the above message.
I'm using the latest version (3000.96.1). We have a premium license. I'm using the same email account as two other working Gateway's. I'm the admin. OS is Server 2019. Both Test and Prod use the same proxy. Has anyone dealt with a similar issue? Suggestions?
I found the folling in the logs if this helps:
EnterpriseGatewayConfigurator.exe Information: 0 : (False) MSAL 4.27.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [09/30/2021 22:14:25 - ]
EnterpriseGatewayConfigurator.exe Error: 0 : (False) MSAL 4.27.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [09/30/2021 22:14:25 - ] Exception type: Microsoft.Identity.Client.MsalClientException
, ErrorCode: authentication_ui_failed
at Microsoft.Identity.Client.Platforms.net45.WindowsFormsWebAuthenticationDialog.ShowBrowser()
at Microsoft.Identity.Client.Platforms.net45.WindowsFormsWebAuthenticationDialog.OnAuthenticate()
at Microsoft.Identity.Client.Platforms.net45.WindowsFormsWebAuthenticationDialogBase.AuthenticateAAD(Uri requestUri, Uri callbackUri)
at Microsoft.Identity.Client.Platforms.net45.InteractiveWebUI.OnAuthenticate()
at Microsoft.Identity.Client.Platforms.net45.WebUI.<>c__DisplayClass20_0.<AcquireAuthorizationAsync>b__0()
at System.Threading.Tasks.Task.Execute()
EnterpriseGatewayConfigurator.exe Error: 0 : (False) MSAL 4.27.0.0 MSAL.Desktop Microsoft Windows NT 6.2.9200.0 [09/30/2021 22:14:25 - ] Exception type: Microsoft.Identity.Client.MsalClientException
, ErrorCode: authentication_ui_failed
at Microsoft.Identity.Client.Platforms.net45.WebUI.<AcquireAuthorizationAsync>d__20.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__13.MoveNext()
EnterpriseGatewayConfigurator.exe Error: 0 : Error authenticating user: The browser based authentication dialog failed to complete for an unknown reason. StatusCode: 200.
EnterpriseGatewayConfigurator.exe Error: 0 : Exception details: MSAL.Desktop.4.27.0.0.MsalClientException:
ErrorCode: authentication_ui_failed
Microsoft.Identity.Client.MsalClientException: The browser based authentication dialog failed to complete for an unknown reason. StatusCode: 200
at Microsoft.Identity.Client.Platforms.net45.WebUI.<AcquireAuthorizationAsync>d__20.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
Solved! Go to Solution.
lbendlin Thank you for your responses! Your steps are rock solid and will be very helpfull to people reading this. But if it still doesn't work??? Our security team had disabled PKCS on the server. Once we enabled that again...worked perfectly.
If your environment requires proxies then you need to modify three files in your gateway installation
C:\Program Files\On-premises data gateway\enterprisegatewayconfigurator.exe.config
C:\Program Files\On-premises data gateway\Microsoft.PowerBI.EnterpriseGateway.exe.config
<system.net>
<defaultProxy useDefaultCredentials="true">
<proxy proxyaddress="http://yourproxy:yourport" bypassonlocal="true" />
</defaultProxy>
</system.net>
If your gateway serves mixed datasets that include an online sharepoint data source you also need to modify the contents of
C:\Program Files\On-premises data gateway\m\Microsoft.Mashup.Container.NetFX45.exe.config
to include the same setting inside the <configuration> tag.
There is documentation here Configure proxy settings for the on-premises data gateway | Microsoft Docs but it is outdated, inaccurate, and pretty much useless.
I shared my "Lessons learned from managing enterprise gateway cluster" here a while back. It's not pretty.
Thanks for the response!
I did see several documents talking about using proxy's including the one you linked. I've set my config files as follows and still no luck. I've also uninstalled and started over.
One document that I found interesting was this one...
https://blog.azureinfra.com/2017/03/06/powerbi-gateway-and-proxies/
I partially installed the gateway on my laptop (wich does not use a proxy) this morning and ran wireshark. All OB traffic was on port 443. But the default install on the server with a proxy tried to use port 80. Then when I switched to a domain svc account the port 80 traffic dissapeared but still can't get to the next step.
I'm sure something is blocked on the server but I can't figure out what I'm missing so can't request for it to be opened. I know OB 443 is open.
We have dozens of gateway clusters running with the setting I shared. I would call it "battle hardened" as it took us a long time and quite a few Pro tickets to get there.
Deinstall the gateway, reinstall it using the default settings. Then apply the proxy settings. Then restart the service. Then login to register the gateway. I guarantee that will work*.
*) on a Windows Server 2019 VM, assuming you have also added all the Trusted Sites. On a Windows Server 2012 VM there are about 15 other steps that you need to take to make it work.
lbendlin Thank you for your responses! Your steps are rock solid and will be very helpfull to people reading this. But if it still doesn't work??? Our security team had disabled PKCS on the server. Once we enabled that again...worked perfectly.
What reason did your security team give for disabling PKCS? Do they consider it a weak cipher?
They didn't give one. I work for a very large corp and I don't actually know any of them. We got one on the phone to help troubleshoot and after a bit he asked his team if they had any ideas. An hour later he said he turned PKCS on and rebooted. Once it came back up...I was able to register the Gateway. That's all the info I was given.
They have everything locked down by default and we have to request exceptions from the Risk team. One of the symptoms was we were unable to browse the web on IE but could on Chrome.
Since both Test and Production servers (both 2019 VM's) use the exact same proxy and the fact that Test is working perfectly. I'm going to "assume" the Trusted Sites have been added to the Proxy. I have not searched for that list nor do I have access to any of the proxy settings. I'd have to put in a ticket to get someone from the proxy team to talk to me.
But I doubt I'll get any traction today so I'll definately try another uninstall and reinstall.
Here's the list: (plus a couple others that I can't list here, and that may not be required in your company)
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!
Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.
Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.
User | Count |
---|---|
32 | |
24 | |
12 | |
11 | |
9 |
User | Count |
---|---|
47 | |
46 | |
23 | |
12 | |
9 |