Using OAuth to connect to Power BI Report Server and SSRS
You can use OAuth to connect to Power BI Report Server and Reporting Services to display mobile reports or KPIs. Learn how to configure your environment to support OAuth authentication with the Power BI mobile app to connect to Power BI Report Server and SQL Server Reporting Services 2016 or later.
Viewing Power BI Reports hosted in Power BI Report Server using WAP to authenticate is now supported for iOS and Android apps.
Windows Server 2016 is required for the Web Application Proxy (WAP) and Active Directory Federation Services (ADFS) servers. You don't need to have a Windows 2016 functional level domain.
In order for users to be able to add a report server connection to their Power BI mobile app, you must grant them access to the report server's home folder.
Domain Name Services (DNS) configuration
The public URL will be that the Power BI mobile app will connect to. For example, it may look similar to the following.
Your DNS record for reports to the public IP address of the Web Application Proxy (WAP) server. You also need to configure a public DNS record for your ADFS server. For example, you may have configured the ADFS server with the following URL.
Your DNS record for fs to the public IP address of the Web Application Proxy (WAP) server as it will be published as part of the WAP application.
You need to configure certificates for both the WAP application and the ADFS server. Both of these certificates must be part of a valid certificate authority that your mobile devices recognize.
Reporting Services configuration
There isn't much to configure on the Reporting Services side. You just need to make sure that:
- There is a valid Service Principal Name (SPN) to enable the proper Kerberos authentication to occur.
- The Reporting Services server is enabled for negotiating authentication.
- Users have access to the report server's home folder.
Service Principal Name (SPN)
The SPN is a unique identifier for a service that uses Kerberos authentication. You need to make sure you have a proper HTTP SPN present for your report server.
For information on how to configure the proper Service Principal Name (SPN) for your report server, see Register a Service Principal Name (SPN) for a Report Server.
Enabling negotiate authentication
To enable a report server to use Kerberos authentication, you need to configure the Authentication Type of the report server to be RSWindowsNegotiate. You do it in the rsreportserver.config file.
<AuthenticationTypes> <RSWindowsNegotiate /> <RSWindowsKerberos /> <RSWindowsNTLM /> </AuthenticationTypes>
For more information, see Modify a Reporting Services Configuration File and Configure Windows Authentication on a Report Server.
Active Directory Federation Services (ADFS) Configuration
You need to configure ADFS on a Windows 2016 server within your environment. The configuration can be done through the Server Manager and selecting Add Roles and Features under Manage. For more information, see Active Directory Federation Services.
Create an application group
Within the AD FS Management screen, you want to create an application group for Reporting Services, which will include information for the Power BI Mobile apps.
You can create the application group with the following steps.
Within the AD FS Management app, right-click Application Groups and select Add Application Group…
Within the Add Application Group Wizard, provide a name for the application group and select Native application accessing a web API.
Provide a name for the application you are adding.
While the Client ID will be auto generated for your, enter in 484d54fc-b481-4eee-9505-0258a1913020 for both iOS and Android.
You want to add the following Redirect URLs:
Entries for Power BI Mobile – iOS:
Android Apps only need the following steps:
Supply the URL for your Report Server. The URL is the external URL that will hit your Web Application Proxy. It should be in the following format.
This URL is case sensitive!
https://< report server url >/
Choose the Access Control Policy that fits your organization's needs.
When completed, you should see the properties of your application group look similar to the following.
Web Application Proxy (WAP) Configuration
You want to enable the Web Application Proxy (Role) Windows role on a server in your environment. It must be on a Windows 2016 server. For more information, see Web Application Proxy in Windows Server 2016 and Publishing Applications using AD FS Preauthentication.
Constrained delegation configuration
In order to transition from OAuth authentication to Windows authentication, we need to use constrained delegation with protocol transitioning. This is part of the Kerberos configuration. We already defined the Reporting Services SPN within the Reporting Services configuration.
We need to configure constrained delegation on the WAP Server machine account within Active Directory. You may need to work with a domain administrator if you don't have rights to Active Directory.
To configure constrained delegation, you want to do the following steps.
On a machine that has the Active Directory tools installed, launch Active Directory Users and Computers.
Find the machine account for your WAP server. By default, it will be in the computers container.
Right-click the WAP server and go to Properties.
Select the Delegation tab.
Select Trust this computer for delegation to specified services only and then Use any authentication protocol.
This sets up constrained delegation for this WAP Server machine account. We then need to specify the services that this machine is allowed to delegate to.
Select Add… under the services box.
Select Users or Computers…
Enter the service account that you are using for Reporting Services. This account is the account you added the SPN to within the Reporting Services configuration.
Select the SPN for Reporting Services and then select OK.
You may only see the NetBIOS SPN. It will actually select both the NetBIOS and FQDN SPNs if they both exist.
The result should look similar to the following when the Expanded checkbox is checked.
Add WAP Application
While you can publish applications within the Report Access Management Console, we will want to create the application via PowerShell. Here is the command to add the application.
Add-WebApplicationProxyApplication -Name "Contoso Reports" -ExternalPreauthentication ADFS -ExternalUrl https://reports.contoso.com/ -ExternalCertificateThumbprint "0ff79c75a725e6f67e3e2db55bdb103efc9acb12" -BackendServerUrl https://ContosoSSRS/ -ADFSRelyingPartyName "Reporting Services - Web API" -BackendServerAuthenticationSPN "http/ContosoSSRS.contoso.com" -UseOAuthAuthentication
|ADFSRelyingPartyName||The Web API name that you created as part of the Application Group within ADFS.|
|ExternalCertificateThumbprint||The certificate to use for the external users. It is important that the certificate is valid on mobile devices and come from a trusted certificate authority.|
|BackendServerUrl||The URL to the Report Server from the WAP server. If the WAP server is in a DMZ, you may need to use a fully qualified domain name. Make sure you can hit this URL from the web browser on the WAP server.|
|BackendServerAuthenticationSPN||The SPN you created as part of the Reporting Services configuration.|
Setting Integrated Authentication for the WAP Application
After you add the WAP Application, you need to set the BackendServerAuthenticationMode to use IntegratedWindowsAuthentication. You need the ID from the WAP Application in order to set it.
Get-WebApplicationProxyApplication "Contoso Reports" | fl
Run the following command to set the BackendServerAuthenticationMode using the ID of the WAP Application.
Set-WebApplicationProxyApplication -id 30198C7F-DDE4-0D82-E654-D369A47B1EE5 -BackendServerAuthenticationMode IntegratedWindowsAuthentication
Connecting with the Power BI Mobile App
Within the Power BI mobile app, you want to connect to your Reporting Services instance. To do that, supply the External URL for your WAP Application.
When you select Connect, you be directed to your ADFS sign-in page. Enter valid credentials for your domain.
After you select Sign in, you see the elements from your Reporting Services server.
You can enable multi-factor authentication to enable additional security for your environment. To learn more, see Configure AD FS 2016 and Azure MFA.
You receive the error "Failed to login to SSRS server"
You can set up Fiddler to act as a proxy for your mobile devices to see how far the request made it. To enable a Fiddler proxy for your phone device, you need to setup the CertMaker for iOS and Android on the machine running Fiddler. The add-on is from Telerik for Fiddler.
If the sign-in works successfully when using Fiddler, you may have a certificate issue with either the WAP application or the ADFS server.
Register a Service Principal Name (SPN) for a Report Server
Modify a Reporting Services Configuration File
Configure Windows Authentication on a Report Server
Active Directory Federation Services
Web Application Proxy in Windows Server 2016
Publishing Applications using AD FS Preauthentication
Configure AD FS 2016 and Azure MFA
More questions? Try the Power BI Community