配置 Kerberos 以使用 Power BI 报表Configure Kerberos to use Power BI reports

了解如何将报表服务器配置为对在分布式环境的 Power BI 报表中使用的数据源进行 Kerberos 身份验证。Learn how to configure your report server for Kerberos authentication to data sources used within your Power BI reports for a distributed environment.

Power BI 报表服务器提供 Power BI 报表托管功能。Power BI Report Server includes the ability to host Power BI reports. 报表服务器可支持许多数据源。Many data sources are supported by your report server. 虽然本文着重介绍 SQL Server Analysis Services,但你可以使用这些概念并将其应用于 SQL Server 等其他数据源。While this article focuses specificly on SQL Server Analysis Services, you can use the concepts and apply that to other data sources such as SQL Server.

可以在一台计算机上安装 Power BI 报表服务器、SQL Server 和 Analysis Services,一切都应正常运转,而无需执行其他任何配置。You can install Power BI Report Server, SQL Server and Analysis Services on a single machine and everything should work without additional configuration. 这非常适合测试环境。This is great for a test environment. 如果在称为“分布式环境”的独立计算机上安装这些服务,可能会看到错误消息。You may hit errors if you have these services installed on separate machines which is called a distributed environment. 在此环境中,必须使用 Kerberos 身份验证。In this environment, you are required to use Kerberos authentication. 必须通过执行其他配置来实现此解决方案。There is configuration required to implement this.

具体来说,需要配置约束委派。Specifically, you will need to configure constrained delegation. 可能已在环境中配置了 Kerberos,但并未配置 Kerberos 约束委派。You may have Kerberos configured in your environment but it may not be configured for constrained delegation.

生成报表时出错Error running report

如果未正确配置报表服务器,可能会看到以下错误消息。If your report server is not configured properly, you may receive the following error.

Something went wrong.

We couldn’t run the report because we couldn’t connect to its data source. The report or data source might not be configured correctly. 

“技术详细信息”中显示以下消息。Within Technical details, you will see the following message.

We couldn’t connect to the Analysis Services server. The server forcibly closed the connection. To connect as the user viewing the report, your organization must have configured Kerberos constrained delegation.

配置 Kerberos 约束委派Configuring Kerberos constrained delegation

必须先配置多个项,然后 Kerberos 约束委派才能生效。There are several items that need to be configured in order for Kerberos constrained delegation to work. 这包括服务帐户上的服务主体名称 (SPN) 和委派设置。This includes Service Principal Names (SPN) and delegation settings on service accounts.

备注

必须是域管理员,才能配置 SPN 和委派设置。In order to configure SPNs and delegation settings, you need to be a domain administrator.

我们需要配置或验证以下设置。We will need to configure, or validate, the following.

  1. 报表服务器配置中的身份验证类型。Authentication type within Report Server config.
  2. 报表服务器服务帐户的 SPN。SPNs for the report server service account.
  3. Analysis Services 服务的 SPN。SPNs for the Analysis Services service.
  4. Analysis Services 计算机上 SQL Browser 服务的 SPN。SPNs for the SQL Browser service on the Analysis Services machine. 这仅适用于命名实例。This is for named instances only.
  5. 报表服务器服务帐户上的委派设置。Delegation settings on the report server service account.

报表服务器配置中的身份验证类型Authentication type within Report Server configuration

我们需要将报表服务器的身份验证类型配置为允许 Kerberos 约束委派。We need to configure the authentication type for the report server to allow for Kerberos constrained delegation. 此操作在 rsreportserver.config 文件中完成。This is done within the rsreportserver.config file. 此文件的默认位置是 C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServerThe default location for this file is C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServer.

在 rsreportserver.config 文件中,需要微调“Authentication/AuthenticationTypes”部分。Within the rsreportserver.config file, you will want to fine the Authentication/AuthenticationTypes section.

我们需要确保 RSWindowsNegotiate 被列为身份验证类型列表中的第一个类型。We want to make sure that RSWindowsNegotiate is listed and the first in the list of authentication types. 它应类似于下面这样。It should look similar to the following.

<AuthenticationTypes>
    <RSWindowsNegotiate/>
    <RSWindowsNTLM/>
</AuthenticationTypes>

如果不得不更改配置文件,需要停止并启动报表服务器,以确保更改生效。If you had to change the configuration file, you will want to stop and start the report server to make sure the changes take effect.

有关详细信息,请参阅在报表服务器上配置 Windows 身份验证For more information, see Configure Windows Authentication on the Report Server.

报表服务器服务帐户的 SPNSPNs for the report server service account

接下来,我们需要确保报表服务器包含有效的 SPN。Next, we need to make sure that the report server has valid SPNs available. 具体操作视所配置的报表服务器服务帐户而定。This is based on the service account that is configured for the report server.

虚拟服务帐户或网络服务帐户Virtual Service Account or Network Service

如果将报表服务器配置为使用虚拟服务帐户或网络服务帐户,不应执行任何操作。If your report server is configured for the Virtual Service Account or Network Service account, you should not have to do anything. 这是在计算机帐户的上下文中。These are in the context of the machine account. 默认情况下,计算机帐户具有 HOST SPN。The machine account will have HOST SPNs by default. 这些会覆盖 HTTP 服务,并由报表服务器使用。These will cover the HTTP service and will be used by the report server.

如果使用的是与计算机帐户不同的虚拟服务器名称,那么 HOST 条目将不会进行覆盖,你需要手动添加虚拟服务器主机名的 SPN。If you are using a virtual server name, one that is not same as the machine account, the HOST entries will not cover you and you will need to manually add the SPNs for the virtual server host name.

域用户帐户Domain user account

如果将报表服务器配置为使用域用户帐户,则需要在相应帐户上手动创建 HTTP SPN。If your report server is configured to use a domain user account, you will have to manually create HTTP SPNs on that account. 为此,可以使用 Windows 随附的 setspn 工具完成。This can be done using the setspn tool that comes with Windows.

备注

必须拥有域管理员权限,才能创建 SPN。You will need domain admin rights in order to create the SPN.

建议创建两个 SPN。It is recommended to create two SPNs. 一个采用 NetBIOS 名称,另一个采用完全限定的域名 (FQDN)。One with the NetBIOS name and the other with the fully qualified domain name (FQDN). SPN 格式如下所示。The SPN will be in the following format.

<Service>/<Host>:<port>

Power BI 报表服务器将使用 HTTP 服务。Power BI Report Server will use a Service of HTTP. 对于 HTTP SPN,不会列出端口。For HTTP SPNs you will not list a port. 此时,我们关注的服务是 HTTP。The service we are interested in here is HTTP. SPN 的主机将是你在 URL 中使用的名称。The host of the SPN will be the name you use in a URL. 这通常是计算机名称。Typically, this is the machine name. 如果支持负载均衡器,这可能是虚拟名称。If you are behind a load balancer, this may be a virtual name.

备注

可以通过查看在浏览器地址栏中输入的内容来验证 URL,也可以查看 Web 门户 URL 选项卡上的“报表服务器配置管理器”。You can verify the URL by either looking at what you enter into the address bar of the browser, or you can look in the Report Server Configuration Manager on the Web Portal URL tab.

如果计算机名为 ContosoRS,SPN 将如下所示。If your machine name is ContosoRS, your SPNs would be the following.

SPN 类型SPN Type SPNSPN
完全限定的域名 (FQDN)Fully Qualified Domain Name (FQDN) HTTP/ContosoRS.contoso.comHTTP/ContosoRS.contoso.com
NetBIOSNetBIOS HTTP/ContosoRSHTTP/ContosoRS

SPN 位置Location of SPN

那么,要将 SPN 置于何处呢?So, where do you put the SPN? 将 SPN 置于要对服务帐户使用的任意位置上。The SPN will be placed on whatever you are using for your service account. 如果使用的是虚拟服务帐户或网络服务帐户,此位置为计算机帐户。If you are using Virtual Service Account or Network Service, this will be the machine account. 尽管我们之前提到过,但还是要提一下,只需为虚拟 URL 执行此操作。Although we mentioned before you should only need to do this for a virtual URL. 如果将报表服务器配置为使用域用户服务帐户,请将 SPN 置于相应的域用户帐户上。If you are using a domain user for the report server service account, then you will place the SPN on that domain user account.

例如,如果使用的是网络服务帐户,且计算机名为 ContosoRS,那么我们会将 SPN 置于 ContosoRS 上。For example, if we are using the Network Service account and our machine name is ContosoRS, we would place the SPN on ContosoRS.

如果使用的是 RSService 的域用户帐户,那么我们会将 SPN 置于 RSService 上。If we are using a domain user account of RSService, we would place the SPN on RSService.

使用 SetSPN 添加 SPNUsing SetSPN to add the SPN

我们可以使用 SetSPN 工具来添加 SPN。We can use the SetSPN tool to add the SPN. 继续以上面使用计算机帐户和域用户帐户的示例为例。We will follow the same example as above with the Machine account and the domain user account.

如果使用 contosoreports 的虚拟 URL,那么将 SPN(包括 FQDN 和 NetBIOS SPN)置于计算机帐户上的命令如下所示。Placing the SPN on a machine account, for both the FQDN and NetBIOS SPN, would look similar to the following if we were using a virtual URL of contosoreports.

  Setspn -a HTTP/contosoreports.contoso.com ContosoRS
  Setspn -a HTTP/contosoreports ContosoRS

如果对 SPN 主机使用计算机名称,那么将 SPN(包括 FQDN 和 NetBIOS SPN)置于域用户帐户上的命令如下所示。Placing the SPN on a domain user account, for both the FQDN and NetBIOS SPN, would look similar to the following if you were using the machine name for the host of the SPN.

  Setspn -a HTTP/ContosoRS.contoso.com RSService
  Setspn -a HTTP/ContosoRS RSService

Analysis Services 服务的 SPNSPNs for the Analysis Services service

配置 Analysis Services 服务的 SPN 类似于配置 Power BI 报表服务器的 SPN。The SPNs for Analysis Services are similar to what we did with Power BI Report Server. 如果有命名实例,那么 SPN 的格式就会略有不同。The format of the SPN is a little different if you have a named instance.

对于 Analysis Services,我们使用 MSOLAPSvc.3 服务。For Analysis Services, we use a Service of MSOLAPSvc.3. 我们将为 SPN 上的端口位置指定实例名称。We will specify the instance name for the port location on the SPN. SPN 的主机部分为计算机名称或群集虚拟名称。The host part of the SPN will either be the machine name, or the Cluster virtual name.

Analysis Services SPN 示例如下所示。An example of an Analysis Services SPN would look like the following.

类型Type 格式Format
默认实例Default instance MSOLAPSvc.3/ContosoAS.contoso.comMSOLAPSvc.3/ContosoAS.contoso.com
MSOLAPSvc.3/ContosoASMSOLAPSvc.3/ContosoAS
命名实例Named instance MSOLAPSvc.3/ContosoAS.contoso.com:INSTANCENAMEMSOLAPSvc.3/ContosoAS.contoso.com:INSTANCENAME
MSOLAPSvc.3/ContosoAS:INSTANCENAMEMSOLAPSvc.3/ContosoAS:INSTANCENAME

SPN 的放置也类似于 Power BI 报表服务器 SPN 的放置。Placement of the SPN is also similar to what was mentioned with Power BI Report Server. 具体操作视服务帐户而定。It is based on the service account. 如果使用的是本地系统或网络服务,那么这是在计算机帐户的上下文中。If you are using Local System or Network Service, you will be in the context of the machine account. 如果对 Analysis Services 实例使用域用户帐户,请将 SPN 置于域用户帐户上。If you are using a domain user account for the Analysis Services instance, you will place the SPN on the domain user account.

使用 SetSPN 添加 SPNUsing SetSPN to add the SPN

我们可以使用 SetSPN 工具来添加 SPN。We can use the SetSPN tool to add the SPN. 在此示例中,计算机名为 ContosoAS。For this example, the machine name will be ContosoAS.

将 SPN(包括 FQDN 和 NetBIOS SPN)置于计算机帐户上的命令如下所示。Placing the SPN on a machine account, for both the FQDN and NetBIOS SPN, would look similar to the following.

Setspn -a MSOLAPSvc.3/ContosoAS.contoso.com ContosoAS
Setspn -a MSOLAPSvc.3/ContosoAS ContosoAS

将 SPN(包括 FQDN 和 NetBIOS SPN)置于域用户帐户上的命令如下所示。Placing the SPN on a domain user account, for both the FQDN and NetBIOS SPN, would look similar to the following.

Setspn -a MSOLAPSvc.3/ContosoAS.contoso.com OLAPService
Setspn -a MSOLAPSvc.3/ContosoAS OLAPService

SQL Browser 服务的 SPNSPNs for the SQL Browser service

如果有 Analysis Services 命名实例,还需要确保有浏览器服务的 SPN。If you have an Analysis Services named instance, you also need to make sure you have an SPN for the browser service. 这是 Analysis Services 的专属要求。This is unique to Analysis Services.

配置 SQL Browser 的 SPN 类似于配置 Power BI 报表服务器的 SPN。The SPNs for SQL Browser are similar to what we did with Power BI Report Server.

对于 SQL Browser,我们使用 MSOLAPDisco.3 服务。For SQL Browser, we use a Service of MSOLAPDisco.3. 我们将为 SPN 上的端口位置指定实例名称。We will specify the instance name for the port location on the SPN. SPN 的主机部分为计算机名称或群集虚拟名称。The host part of the SPN will either be the machine name, or the Cluster virtual name. 不必为实例名称或端口指定任何内容。You do not have to specify anything for the instance name or port.

Analysis Services SPN 示例如下所示。An example of an Analysis Services SPN would look like the following.

MSOLAPDisco.3/ContosoAS.contoso.com
MSOLAPDisco.3/ContosoAS

SPN 的放置也类似于 Power BI 报表服务器 SPN 的放置。Placement of the SPN is also similar to what was mentioned with Power BI Report Server. 不同之处在于,SQL Browser 始终在本地系统帐户下运行。The difference here is that SQL Browser always runs under the Local System account. 也就是说,SPN 始终都会在计算机帐户上运行。This means that the SPNs will always go on the machine account.

使用 SetSPN 添加 SPNUsing SetSPN to add the SPN

我们可以使用 SetSPN 工具来添加 SPN。We can use the SetSPN tool to add the SPN. 在此示例中,计算机名为 ContosoAS。For this example, the machine name will be ContosoAS.

将 SPN(包括 FQDN 和 NetBIOS SPN)置于计算机帐户上的命令如下所示。Placing the SPN on the machine account, for both the FQDN and NetBIOS SPN, would look similar to the following.

Setspn -a MSOLAPDisco.3/ContosoAS.contoso.com ContosoAS
Setspn -a MSOLAPDisco.3/ContosoAS ContosoAS

有关详细信息,请参阅必须有 SQL Server Browser 服务的 SPNFor more information, see An SPN for the SQL Server Browser service is required.

报表服务器服务帐户上的委派设置Delegation settings on the report server service account

我们需要配置的最后一个部分是报表服务器服务帐户上的委派设置。The last part that we have to configure are the delegation settings on the report server service account. 可以使用不同的工具来执行这些步骤。There are different tools you can use to perform these steps. 在本文档中,我们将继续使用 Active Directory 用户和计算机。For the purposes of this document, we will stick with Active Directory Users and Computers.

首先,需要转到 Active Directory 用户和计算机中的报表服务器服务帐户属性页面。You will need to start by going to the properties of the report server service account within Active Directory Users and Computers. 如果使用的是虚拟服务帐户或网络服务帐户,可以是计算机帐户;否则,可以是域用户帐户。This will either be the machine account, if you used Virtual Service Account or Network Service, or it will be a domain user account.

我们将要通过协议传输来配置约束委派。We will want to configure constrained delegation with protocol transiting. 使用约束委派时,需要明确要委派哪些服务。With constrained delegation, you need to be explicit with which services we want to delegate to. 我们将把 Analysis Services 服务 SPN 和 SQL Browser SPN 添加到 Power BI 报表服务器可以委派的列表中。We will go and add both the Analysis Services service SPN and the SQL Browser SPN to the list that Power BI Report Server can delegate to.

  1. 右键单击报表服务器服务帐户,然后选择“属性”。Right click on the report server service account and select Properties.
  2. 选择“委派”选项卡。Select the Delegation tab.
  3. 选中“仅信任此计算机来委派指定的服务”。Select Trust this computer for delegation to specified services only.
  4. 选中“使用任意身份验证协议”。Select Use any authentication protocol.
  5. 在“可以由此帐户提供委派凭据的服务:”下,选择“添加”。Under the Services to which this account can present delegated credentials: select Add.
  6. 在新对话框中,选择“用户或计算机”。In the new dialog, select Users or Computers.
  7. 输入 Analysis Services 服务的服务帐户,然后选择“确定”。Enter the service account for the Analysis Services service and select Ok.
  8. 选择已创建的 SPN。Select the SPN that you created. 它以 MSOLAPSvc.3 开头。It will begin with MSOLAPSvc.3. 如果 FQDN 和 NetBIOS SPN 都添加了,两个都会被选中。If you added both the FQDN and the NetBIOS SPN, it will select both. 你可能只会看到其中一个。You may only see one.
  9. 选择确定Select OK. 现在,列表中应该会显示 SPN。You should see the SPN in the list now.
  10. 也可以选中“已扩展”,在列表中同时显示 FQDN 和 NetBIOS SPN。Optionally, you can select Expanded to show both the FQDN and NetBIOS SPN in the list.
  11. 再次选择“添加”。Select Add again. 现在,我们将添加 SQL Browser SPN。We will add the SQL Browser SPN now.
  12. 在新对话框中,选择“用户或计算机”。In the new dialog, select Users or Computers.
  13. 输入 SQL Browser 服务所在计算机的名称,然后选择“确定”。Enter the Machine name for the machine the SQL Browser service is on and select Ok.
  14. 选择已创建的 SPN。Select the SPN that you created. 它以 MSOLAPDisco.3 开头。It will begin with MSOLAPDisco.3. 如果 FQDN 和 NetBIOS SPN 都添加了,两个都会被选中。If you added both the FQDN and the NetBIOS SPN, it will select both. 你可能只会看到其中一个。You may only see one.
  15. 选择“确定”。Select Ok. 如果选中“已扩展”,对话框应如下所示。The dialog should look similar to the following if you checked Expanded.

  16. 选择“确定”。Select Ok.
  17. 重启 Power BI 报表服务器。Reboot the Power BI Report Server.

生成 Power BI 报表Running a Power BI Report

指定完上述所有配置后,应该就可以正确显示报表了。After all of the above configuration is in place, your report should display properly.

虽然此配置在大多数情况下都适用于 Kerberos,但也可以指定不同的配置,具体视环境而定。While this configuration should work in most cases, with Kerberos, there can be different configuration depending on your environment. 如果报表仍未加载,请与你的域管理员联系以展开进一步调查,或与支持人员联系。If the report will still not load, you will want to reach out to your domain administrator to investigate further or contact support.

后续步骤Next steps

管理员手册Administrator handbook
快速入门:安装 Power BI 报表服务器Quickstart: Install Power BI Report Server

更多问题?More questions? 尝试咨询 Power BI 社区Try asking the Power BI Community