使用 OAuth 连接到 Reporting ServicesUsing OAuth to connect to Reporting Services

了解如何将环境配置为支持 OAuth 对 Power BI 移动应用进行身份验证以连接到 Reporting Services 2016 或更高版本。Learn how to configure your environment to support OAuth authentication with the Power BI mobile app in order to connect to Reporting Services 2016 or later.

在过去,Power BI 移动应用仅支持通过 HTTPS 进行基本身份验证,以连接到 Reporting Services 来显示移动报表或 KPI。In the past, the Power BI mobile app only supported basic authentication, over HTTPS, to Reporting Services in order to display Mobile Reports or KPIs. 许多组织出于安全考虑禁用这种类型的配置。Many organizations do not allow this type of configuration due to security concerns. 通过对 Power BI 移动应用的更新,现在可以使用 OAuth 连接到 Reporting Services。With an update to the Power BI mobile app, you can now use OAuth to connect to Reporting Services. Windows Server 2016 向 Web 应用程序代理角色提供了一些改进,以允许此种类型的身份验证。Windows Server 2016 provides some improvements to the Web Application Proxy role to allow this type of authentication.

要求Requirements

Windows Server 2016 是 Web 应用程序代理 (WAP) 和 Active Directory 联合身份验证服务 (ADFS) 服务器的必备组件。Windows Server 2016 is required for the Web Application Proxy (WAP) and Active Directory Federation Services (ADFS) servers. 无需具备 Windows 2016 功能级别的域。You do not need to have a Windows 2016 functional level domain.

域名服务 (DNS) 配置Domain Name Services (DNS) configuration

需要确定 Power BI 移动应用要连接到哪个公用 URL。You will need to determine what the public URL will be that the Power BI mobile app will connect to. 例如,可能如下所示。For example, it may look similar to the following.

https://reports.contoso.com

需要将报表的 DNS 记录指向 Web 应用程序代理 (WAP) 服务器的公用 IP 地址。You will need to point your DNS record for reports to the public IP address of the Web Application Proxy (WAP) server. 还需要为 ADFS 服务器配置公用 DNS 记录。You will also need to configure a public DNS record for your ADFS server. 例如,可能为 ADFS 服务器配置了以下 URL。For example, you may have configured the ADFS server with the following URL.

https://fs.contoso.com

需要将 fs 的 DNS 记录指向 Web 应用程序代理 (WAP) 服务器的公用 IP 地址,因为会将其作为 WAP 应用程序的一部分发布。You will need to point your DNS record for fs to the public IP address of the Web Application Proxy (WAP) server as it will be published as part of the WAP application.

证书Certificates

需要为 WAP 应用程序和 ADFS 服务器配置证书。You will need to configure certificates for both the WAP application and the ADFS server. 这些证书都必须是移动设备可以识别的有效证书颁发机构的一部分。Both of these certificates must be part of a valid certificate authority that your mobile devices recognize.

Reporting Services 配置Reporting Services configuration

Reporting Services 端无其他需要配置的内容。There isn’t much to configure on the Reporting Services side. 我们只需确保具备有效的服务主体名称 (SPN) 来使 Kerberos 身份验证正常进行,并且已启用 Reporting Services 服务器以进行协商身份验证。We just need to make sure that we have a valid Service Principal Name (SPN) to enable the proper Kerberos authentication to occur and that the Reporting Services server is enabled for negotiate authentication.

服务主体名称 (SPN)Service Principal Name (SPN)

SPN 是使用 Kerberos 身份验证的服务的唯一标识符。The SPN is a unique identifier for a service that uses Kerberos authentication. 需要确保报表服务器存在正确的 HTTP SPN。You will need to make sure you have a proper HTTP SPN present for your report server.

有关如何为报表服务器配置正确的服务主体名称 (SPN) 的信息,请参阅为报表服务器注册服务主体名称 (SPN)For information on how to configure the proper Service Principal Name (SPN) for your report server, see Register a Service Principal Name (SPN) for a Report Server.

启用协商身份验证Enabling negotiate authentication

若要使报表服务器可以使用 Kerberos 身份验证,需要将报表服务器的身份验证类型配置为 RSWindowsNegotiate。To enable a report server to use Kerberos authentication, you will need to configure the Authentication Type of the report server to be RSWindowsNegotiate. 此操作在 rsreportserver.config 文件中完成。This is done within the rsreportserver.config file.

<AuthenticationTypes>  
    <RSWindowsNegotiate />  
    <RSWindowsKerberos />  
    <RSWindowsNTLM />  
</AuthenticationTypes>

有关详细信息,请参阅修改 Reporting Services 配置文件在报表服务器上配置 Windows 身份验证For more information, see Modify a Reporting Services Configuration File and Configure Windows Authentication on a Report Server.

Active Directory 联合身份验证服务 (ADFS) 配置Active Directory Federation Services (ADFS) Configuration

需要在环境中的 Windows 2016 服务器上配置 ADFS。You will need to configure ADFS on a Windows 2016 server within your environment. 可通过服务器管理器并在“管理”下选择“添加角色和功能”完成此过程。This can be done through the Server Manager and selecting Add Roles and Features under Manage. 有关详细信息,请参阅 Active Directory 联合身份验证服务For more information, see Active Directory Federation Services.

创建应用程序组Create an application group

在“AD FS 管理”屏幕上,需要为 Reporting Services 创建一个应用程序组,其中将包含 Power BI 移动应用的信息。Within the AD FS Management screen, you will want to create an application group for Reporting Services which will include information for the Power BI Mobile apps.

可以按照以下步骤创建应用程序组。You can create the application group with the following steps.

  1. 在“AD FS 管理”应用上,右键单击“应用程序组”,并选择“添加应用程序组…Within the AD FS Management app, right click Application Groups and select Add Application Group…

  2. 在“添加应用程序组”向导中,为应用程序组提供“名称”,并选择“访问 Web API 的本机应用程序”。Within the Add Application Group Wizard, provide a name for the application group and select Native application accessing a web API.

  3. 选择下一步Select Next.
  4. 为正在添加的应用程序提供“名称”。Provide a name for the application you are adding.
  5. 客户端 ID”将会自动生成,对于 iOS 和 Android 会输入 484d54fc-b481-4eee-9505-0258a1913020。While the Client ID will be auto generated for your, enter in 484d54fc-b481-4eee-9505-0258a1913020 for both iOS and Android.
  6. 需要添加以下“重定向 URL”:You will want to add the following Redirect URLs:

    适用于 Power BI Mobile – iOS 的条目:Entries for Power BI Mobile – iOS:
    msauth://code/mspbi-adal://com.microsoft.powerbimobilemsauth://code/mspbi-adal://com.microsoft.powerbimobile
    msauth://code/mspbi-adalms://com.microsoft.powerbimobilemsmsauth://code/mspbi-adalms://com.microsoft.powerbimobilems
    mspbi-adal://com.microsoft.powerbimobilemspbi-adal://com.microsoft.powerbimobile
    mspbi-adalms://com.microsoft.powerbimobilemsmspbi-adalms://com.microsoft.powerbimobilems

    Android 应用只需要以下内容:Android Apps only need the following:
    urn:ietf:wg:oauth:2.0:ooburn:ietf:wg:oauth:2.0:oob

  7. 选择下一步Select Next.
  8. 提供报表服务器的 URL。Supply the URL for your Report Server. 这是将命中 Web 应用程序代理的外部 URL。This is the external URL that will hit your Web Application Proxy. 格式应如下所示。It should be in the following format.

    备注

    此 URL 区分大小写!This URL is case sensitive!

    https:///reportshttps:///reports

  9. 选择下一步Select Next.
  10. 选择符合组织需求的“访问控制策略”。Choose the Access Control Policy that fits your organization’s needs.

  11. 选择下一步Select Next.
  12. 选择下一步Select Next.
  13. 选择下一步Select Next.
  14. 选择“关闭”。Select Close.

完成后,应看到应用程序组的属性如下所示。When completed, you should see the properties of your application group look similar to the following.

Web 应用程序代理 (WAP) 配置Web Application Proxy (WAP) Configuration

需要在环境中的服务器上启用 Web 应用程序代理(角色)Windows 角色。You will want to enable the Web Application Proxy (Role) Windows role on a server in your environment. 必须在 Windows 2016 服务器上执行此过程。This must be on a Windows 2016 server. 有关详细信息,请参阅 Windows Server 2016 中的 Web 应用程序代理发布使用 AD FS 预身份验证的应用程序For more information, see Web Application Proxy in Windows Server 2016 and Publishing Applications using AD FS Preauthentication.

约束委派配置Constrained delegation configuration

为了从 OAuth 身份验证转换到 Windows 身份验证,需要结合使用约束委派和协议转换。In order to transition from OAuth authentication to Windows authentication, we need to use constrained delegation with protocol transitioning. 这是 Kerberos 配置的一部分。This is part of the Kerberos configuration. 我们已在 Reporting Services 配置中定义了 Reporting Services SPN。We already defined the Reporting Services SPN within the Reporting Services configuration.

我们需要在 Active Directory 内的 WAP 服务器计算机帐户上配置约束委派。We need to configure constrained delegation on the WAP Server machine account within Active Directory. 如果不具备访问 Active Directory 的权限,则需要与域管理员合作。You may need to work with a domain administrator if you don’t have rights to Active Directory.

若要配置约束委派,需要执行以下操作。To configure constrained delegation, you will want to do the following.

  1. 在已安装 Active Directory 工具的计算机上,启动“Active Directory 用户和计算机”。On a machine that has the Active Directory tools installed, launch Active Directory Users and Computers.
  2. 找到 WAP 服务器的计算机帐户。Find the machine account for your WAP server. 默认情况下,它会位于计算机容器中。By default, this will be in the computers container.
  3. 右键单击 WAP 服务器并转到“属性”。Right click the WAP server and go to Properties.
  4. 选择“委派”选项卡。Select the Delegation tab.
  5. 选择“仅信任此计算机来委派指定的服务”然后选择“使用任意身份验证协议”Select Trust this computer for delegation to specified services only and then Use any authentication protocol.

    此操作设置了此 WAP 服务器计算机帐户的约束委派。This sets up constrained delegation for this WAP Server machine account. 然后我们需要指定允许该计算机委派到的服务。We then need to specify the services that this machine is allowed to delegate to.

  6. 在服务框下选择“添加…Select Add… under the services box.

  7. 选择“用户或计算机…Select Users or Computers…
  8. 输入用于 Reporting Services 的服务帐户。Enter the service account that you are using for Reporting Services. 这是在 Reporting Services 配置中将 SPN 添加到其中的帐户。This is the account you added the SPN to within the Reporting Services configuration.
  9. 选择 Reporting Services 的 SPN,然后选择“确定”。Select the SPN for Reporting Services and then select OK.

    备注

    你可能只能看到 NetBIOS SPN。You may only see the NetBIOS SPN. 如果同时存在 NetBIOS 和 FQDN SPN,实际上会同时选中这两个。It will actually select both the NetBIOS and FQDN SPNs if they both exist.

  10. 选中“已展开”复选框后结果应如下所示。The result should look similar to the following when the Expanded checkbox is checked.

  11. 选择确定Select OK.

添加 WAP 应用程序Add WAP Application

可以在“报表访问管理控制台”中发布应用程序,但我们需要通过 PowerShell 构建应用程序。While you can publish applications within the Report Access Management Console, we will want to create the application via PowerShell. 以下是添加应用程序的命令。Here is the command to add the application.

Add-WebApplicationProxyApplication -Name "Contoso Reports" -ExternalPreauthentication ADFS -ExternalUrl https://reports.contoso.com/reports/ -ExternalCertificateThumbprint "0ff79c75a725e6f67e3e2db55bdb103efc9acb12" -BackendServerUrl http://ContosoSSRS/reports/ -ADFSRelyingPartyName "Reporting Services - Web API" -BackendServerAuthenticationSPN "http/ContosoSSRS.contoso.com" -UseOAuthAuthentication
参数Parameter 注释Comments
ADFSRelyingPartyNameADFSRelyingPartyName 这是在 ADFS 内创建的作为应用程序组的一部分的 Web API 名称。This is the Web API name that you created as part of the Application Group within ADFS.
ExternalCertificateThumbprintExternalCertificateThumbprint 这是用于外部用户的证书。This is the certificate to use for the external users. 此证书在移动设备上有效且来自受信任的证书颁发机构,这一点很重要。It is important that this certificate be valid on mobile devices and come from a trusted certificate authority.
BackendServerUrlBackendServerUrl 这是从 WAP 服务器指向报表服务器的 URL。This is the URL to the Report Server from the WAP server. 如果 WAP 服务器位于 DMZ 中,则需要使用完全限定的域名。If the WAP server is in a DMZ, you may need to use a fully qualified domain name. 请确保可以从 WAP 服务器上的 Web 浏览器命中此 URL。Make sure you can hit this URL from the web browser on the WAP server.
BackendServerAuthenticationSPNBackendServerAuthenticationSPN 这是创建的作为 Reporting Services 配置一部分的 SPN。This is the SPN you created as part of the Reporting Services configuration.

为 WAP 应用程序设置集成身份验证Setting Integrated Authentication for the WAP Application

添加 WAP 应用程序后,需要将 BackendServerAuthenticationMode 设置为使用 IntegratedWindowsAuthentication。After you add the WAP Application, you will need to set the BackendServerAuthenticationMode to use IntegratedWindowsAuthentication. 若要进行设置,需要 WAP 应用程序的 ID。In order to set this, you need the ID from the WAP Application.

Get-WebApplicationProxyApplication “Contoso Reports” | fl

运行以下命令,使用 WAP 应用程序的 ID 设置 BackendServerAuthenticationMode。Run the following command to set the BackendServerAuthenticationMode using the ID of the WAP Application.

Set-WebApplicationProxyApplication -id 30198C7F-DDE4-0D82-E654-D369A47B1EE5 -BackendServerAuthenticationMode IntegratedWindowsAuthentication

连接 Power BI 移动应用Connecting with the Power BI Mobile App

在 Power BI 移动应用中,需要连接到 Reporting Services 实例。Within the Power BI mobile app, you will want to connect to your Reporting Services instance. 若要执行此操作,需要提供 WAP 应用程序的“外部 URL”。To do that, supply the External URL for your WAP Application.

选择“连接”后,将定向到 ADFS 登录页。When you select Connect, you will be directed to your ADFS login page. 输入域的有效凭据。Enter valid credentials for your domain.

选择“登录”后,将看到 Reporting Services 服务器中的元素。After you select Sign in, you will see the elements from your Reporting Services server.

多重身份验证Multi-factor authentication

可以启用多重身份验证为环境启用其他安全功能。You can enable multi-factor authentication to enable additional security for your environment. 若要了解详细信息,请参阅配置 AD FS 2016 和 Azure MFATo learn more, see Configure AD FS 2016 and Azure MFA.

故障排除Troubleshooting

收到错误消息“无法登录 SSRS 服务器。请确认服务器配置。”You receive the error Failed to login to SSRS server. Please verify server configuration.

可以设置 Fiddler 作为移动设备的代理,来查看请求的进度。You can set up Fiddler to act as a proxy for your mobile devices to see how far the request made it. 若要为手机设备启用 Fiddler 代理,需要在运行 Fiddler 的计算机上安装适用于 iOS 和 Android 的 CertMakerTo enable a Fiddler proxy for your phone device, you will need to setup the CertMaker for iOS and Android on the machine running Fiddler. 这是 Telerik 提供的用于 Fiddler 的加载项。This is an add-on from Telerik for Fiddler.

如果使用 Fiddler 登录成功,则 WAP 应用程序或 ADFS 服务器的证书可能存在问题。If the sign in works successfully when using Fiddler, you may have a certificate issue with either the WAP application or the ADFS server. 可以使用 Microsoft Message Analyzer 等工具验证这些证书是否有效。You can use a tool such as Microsoft Message Analyzer to verify if the certificates are valid.

后续步骤Next steps

为报表服务器注册服务主体名称 (SPN)Register a Service Principal Name (SPN) for a Report Server
修改 Reporting Services 配置文件Modify a Reporting Services Configuration File
在报表服务器上配置 Windows 身份验证Configure Windows Authentication on a Report Server
Active Directory 联合身份验证服务Active Directory Federation Services
Windows Server 2016 中的 Web 应用程序代理Web Application Proxy in Windows Server 2016
发布使用 AD FS 预身份验证的应用程序Publishing Applications using AD FS Preauthentication
配置 AD FS 2016 和 Azure MFAConfigure AD FS 2016 and Azure MFA
更多问题?More questions? 尝试参与 Power BI 社区Try the Power BI Community