使用 OAuth 連接至 Reporting ServicesUsing OAuth to connect to Reporting Services

了解如何設定您的環境以使用 Power BI 行動裝置應用程式支援 OAuth 驗證,才能連接至 Reporting Services 2016 或更新版本。Learn how to configure your environment to support OAuth authentication with the Power BI mobile app in order to connect to Reporting Services 2016 or later.

過去,Power BI 行動裝置應用程式只支援透過 HTTPS 對 Reporting Services 進行基本驗證,才能顯示行動報表或 KPI。In the past, the Power BI mobile app only supported basic authentication, over HTTPS, to Reporting Services in order to display Mobile Reports or KPIs. 基於安全性考量,許多組織都不允許這種類型的設定。Many organizations do not allow this type of configuration due to security concerns. 運用 Power BI 行動裝置應用程式的更新,現在可以使用 OAuth 來連接至 Reporting Services。With an update to the Power BI mobile app, you can now use OAuth to connect to Reporting Services. Windows Server 2016 提供「Web 應用程式 Proxy」角色的一些改善,以允許這種類型的驗證。Windows Server 2016 provides some improvements to the Web Application Proxy role to allow this type of authentication.

需求Requirements

Web 應用程式 Proxy (WAP) 和 Active Directory Federation Services (ADFS) 伺服器需要 Windows Server 2016。Windows Server 2016 is required for the Web Application Proxy (WAP) and Active Directory Federation Services (ADFS) servers. 您不需要有 Windows 2016 功能等級網域。You do not need to have a Windows 2016 functional level domain.

網域名稱系統 (DNS) 設定Domain Name Services (DNS) configuration

您需要決定公用 URL 將是 Power BI 行動裝置應用程式將連接的 URL。You will need to determine what the public URL will be that the Power BI mobile app will connect to. 例如,它看起來可能如下所示。For example, it may look similar to the following.

https://reports.contoso.com

您需要將報表的 DNS 記錄指向 Web 應用程式 Proxy (WAP) 伺服器的公用 IP 位址。You will need to point your DNS record for reports to the public IP address of the Web Application Proxy (WAP) server. 您也需要設定 ADFS 伺服器的公用 DNS 記錄。You will also need to configure a public DNS record for your ADFS server. 例如,您可能已使用下列 URL 來設定 ADFS 伺服器。For example, you may have configured the ADFS server with the following URL.

https://fs.contoso.com

您需要將 fs 的 DNS 記錄指向 Web 應用程式 Proxy (WAP) 伺服器的公用 IP 位址,因為它將會發行為 WAP 應用程式的一部分。You will need to point your DNS record for fs to the public IP address of the Web Application Proxy (WAP) server as it will be published as part of the WAP application.

憑證Certificates

您需要設定 WAP 應用程式和 ADFS 伺服器的憑證。You will need to configure certificates for both the WAP application and the ADFS server. 這兩個憑證都必須是行動裝置所辨識之有效憑證授權單位的一部分。Both of these certificates must be part of a valid certificate authority that your mobile devices recognize.

Reporting Services 設定Reporting Services configuration

在 Reporting Services 端上不需要進行太多設定。There isn’t much to configure on the Reporting Services side. 我們只需要確定具有有效的服務主體名稱 (SPN) 可啟用適當的 Kerberos 驗證,以及確定啟用 Reporting Services 伺服器進行交涉驗證。We just need to make sure that we have a valid Service Principal Name (SPN) to enable the proper Kerberos authentication to occur and that the Reporting Services server is enabled for negotiate authentication.

服務主體名稱 (SPN)Service Principal Name (SPN)

SPN 是使用 Kerberos 驗證之服務的唯一識別碼。The SPN is a unique identifier for a service that uses Kerberos authentication. 您需要確定具有報表伺服器的適當 HTTP SPN。You will need to make sure you have a proper HTTP SPN present for your report server.

如需如何設定報表伺服器之適當服務主體名稱 (SPN) 的資訊,請參閱為報表伺服器註冊服務主體名稱 (SPN)For information on how to configure the proper Service Principal Name (SPN) for your report server, see Register a Service Principal Name (SPN) for a Report Server.

啟用交涉驗證Enabling negotiate authentication

若要讓報表伺服器使用 Kerberos 驗證,您需要將報表伺服器的驗證類型設定為 RSWindowsNegotiate。To enable a report server to use Kerberos authentication, you will need to configure the Authentication Type of the report server to be RSWindowsNegotiate. 這是在 rsreportserver.config 檔案內完成。This is done within the rsreportserver.config file.

<AuthenticationTypes>  
    <RSWindowsNegotiate />  
    <RSWindowsKerberos />  
    <RSWindowsNTLM />  
</AuthenticationTypes>

如需詳細資訊,請參閱修改 Reporting Services 設定檔設定報表伺服器上的 Windows 驗證For more information, see Modify a Reporting Services Configuration File and Configure Windows Authentication on a Report Server.

Active Directory Federation Services (ADFS) 設定Active Directory Federation Services (ADFS) Configuration

您需要在環境的 Windows 2016 伺服器上設定 ADFS。You will need to configure ADFS on a Windows 2016 server within your environment. 透過伺服器管理員並選取 [管理] 下的 [新增角色及功能] 即可完成。This can be done through the Server Manager and selecting Add Roles and Features under Manage. 如需詳細資訊,請參閱 Active Directory Federation ServicesFor more information, see Active Directory Federation Services.

建立應用程式群組Create an application group

在 [AD FS 管理] 畫面內,您要建立 Reporting Services 的應用程式群組,其包含 Power BI 行動裝置應用程式的資訊。Within the AD FS Management screen, you will want to create an application group for Reporting Services which will include information for the Power BI Mobile apps.

您可以使用下列步驟來建立應用程式群組。You can create the application group with the following steps.

  1. 在 [AD FS 管理] 應用程式內,以滑鼠右鍵按一下 [應用程式群組],然後選取 [新增應用程式群組…]。Within the AD FS Management app, right click Application Groups and select Add Application Group…

  2. 在 [新增應用程式群組精靈] 內,提供應用程式群組的名稱,然後選取 [存取 Web API 的原生應用程式]。Within the Add Application Group Wizard, provide a name for the application group and select Native application accessing a web API.

  3. 選取 [下一步] 。Select Next.
  4. 提供所新增應用程式的名稱Provide a name for the application you are adding.
  5. 自動產生用戶端識別碼時,請針對 iOS 和 Android 輸入 484d54fc-b481-4eee-9505-0258a1913020。While the Client ID will be auto generated for your, enter in 484d54fc-b481-4eee-9505-0258a1913020 for both iOS and Android.
  6. 您會想要新增下列重新導向 URLYou will want to add the following Redirect URLs:

    Power BI Mobile 的項目 - iOS:Entries for Power BI Mobile – iOS:
    msauth://code/mspbi-adal://com.microsoft.powerbimobilemsauth://code/mspbi-adal://com.microsoft.powerbimobile
    msauth://code/mspbi-adalms://com.microsoft.powerbimobilemsmsauth://code/mspbi-adalms://com.microsoft.powerbimobilems
    mspbi-adal://com.microsoft.powerbimobilemspbi-adal://com.microsoft.powerbimobile
    mspbi-adalms://com.microsoft.powerbimobilemsmspbi-adalms://com.microsoft.powerbimobilems

    Android 應用程式只需要下列項目:Android Apps only need the following:
    urn:ietf:wg:oauth:2.0:ooburn:ietf:wg:oauth:2.0:oob

  7. 選取 [下一步] 。Select Next.
  8. 提供報表伺服器的 URL。Supply the URL for your Report Server. 這是將叫用您 Web 應用程式 Proxy 的外部 URL。This is the external URL that will hit your Web Application Proxy. 它的格式應該如下。It should be in the following format.

    注意

    此 URL 區分大小寫!This URL is case sensitive!

    https:///reportshttps:///reports

  9. 選取 [下一步] 。Select Next.
  10. 選擇符合組織需求的 [存取控制原則]。Choose the Access Control Policy that fits your organization’s needs.

  11. 選取 [下一步] 。Select Next.
  12. 選取 [下一步] 。Select Next.
  13. 選取 [下一步] 。Select Next.
  14. 選取 [關閉]。Select Close.

完成時,您應該會看到應用程式群組的內容,如下所示。When completed, you should see the properties of your application group look similar to the following.

Web 應用程式 Proxy (WAP) 設定Web Application Proxy (WAP) Configuration

您將想要在環境的伺服器上啟用 Windows 角色「Web 應用程式 Proxy」(角色)。You will want to enable the Web Application Proxy (Role) Windows role on a server in your environment. 這必須位於 Windows 2016 伺服器上。This must be on a Windows 2016 server. 如需詳細資訊,請參閱 Web Application Proxy in Windows Server 2016 (Windows Server 2016 中的 Web 應用程式 Proxy) 和 Publishing Applications using AD FS Preauthentication (使用 AD FS 預先驗證發行應用程式)。For more information, see Web Application Proxy in Windows Server 2016 and Publishing Applications using AD FS Preauthentication.

限制委派設定Constrained delegation configuration

若要從 OAuth 驗證轉換為 Windows 驗證,我們需要搭配使用限制委派與通訊協定轉換。In order to transition from OAuth authentication to Windows authentication, we need to use constrained delegation with protocol transitioning. 這是 Kerberos 設定的一部分。This is part of the Kerberos configuration. 我們已經在 Reporting Services 設定內定義 Reporting Services SPN。We already defined the Reporting Services SPN within the Reporting Services configuration.

我們需要在 Active Directory 內設定 WAP 伺服器電腦帳戶的限制委派。We need to configure constrained delegation on the WAP Server machine account within Active Directory. 如果您沒有 Active Directory 的權限,則可能需要使用網域系統管理員。You may need to work with a domain administrator if you don’t have rights to Active Directory.

若要設定限制委派,您將想要執行下列作業。To configure constrained delegation, you will want to do the following.

  1. 在已安裝 Active Directory 工具的電腦上,啟動 [Active Directory 使用者和電腦]。On a machine that has the Active Directory tools installed, launch Active Directory Users and Computers.
  2. 尋找 WAP 伺服器的電腦帳戶。Find the machine account for your WAP server. 這預設會是在電腦容器中。By default, this will be in the computers container.
  3. 以滑鼠右鍵按一下 WAP 伺服器,並移至 [內容]。Right click the WAP server and go to Properties.
  4. 選取 [委派] 索引標籤。Select the Delegation tab.
  5. 選取 [信任這台電腦,但只委派指定的服務],然後選取 [使用任何驗證通訊協定]。Select Trust this computer for delegation to specified services only and then Use any authentication protocol.

    這會設定此 WAP 伺服器電腦帳戶的限制委派。This sets up constrained delegation for this WAP Server machine account. 接著,我們需要指定允許委派此電腦的服務。We then need to specify the services that this machine is allowed to delegate to.

  6. 選取 [新增...]\Select Add… (位於 [服務] 方塊下)。under the services box.

  7. 選取 [使用者或電腦...]。Select Users or Computers…
  8. 輸入您要用於 Reporting Services 的服務帳戶。Enter the service account that you are using for Reporting Services. 這是您在 Reporting Services 設定內新增 SPN 的帳戶。This is the account you added the SPN to within the Reporting Services configuration.
  9. 選取 Reporting Services 的 SPN,然後選取 [確定]。Select the SPN for Reporting Services and then select OK.

    注意

    您只能看到 NetBIOS SPN。You may only see the NetBIOS SPN. 它實際會選取 NetBIOS 和 FQDN SPN (如果兩者都存在)。It will actually select both the NetBIOS and FQDN SPNs if they both exist.

  10. 核取 [展開] 核取方塊時,結果應該與下列類似。The result should look similar to the following when the Expanded checkbox is checked.

  11. 選取 [確定] 。Select OK.

新增 WAP 應用程式Add WAP Application

在 Report Access 管理主控台內發行應用程式時,我們想要透過 PowerShell 建立應用程式。While you can publish applications within the Report Access Management Console, we will want to create the application via PowerShell. 以下是新增應用程式的命令。Here is the command to add the application.

Add-WebApplicationProxyApplication -Name "Contoso Reports" -ExternalPreauthentication ADFS -ExternalUrl https://reports.contoso.com/reports/ -ExternalCertificateThumbprint "0ff79c75a725e6f67e3e2db55bdb103efc9acb12" -BackendServerUrl http://ContosoSSRS/reports/ -ADFSRelyingPartyName "Reporting Services - Web API" -BackendServerAuthenticationSPN "http/ContosoSSRS.contoso.com" -UseOAuthAuthentication
參數Parameter 註解Comments
ADFSRelyingPartyNameADFSRelyingPartyName 這是建立為 ADFS 內應用程式群組一部分的 Web API 名稱。This is the Web API name that you created as part of the Application Group within ADFS.
ExternalCertificateThumbprintExternalCertificateThumbprint 這是要用於外部使用者的憑證。This is the certificate to use for the external users. 此憑證在行動裝置上必須是有效的,並且來自受信任的憑證授權單位。It is important that this certificate be valid on mobile devices and come from a trusted certificate authority.
BackendServerUrlBackendServerUrl 這是從 WAP 伺服器到報表伺服器的 URL。This is the URL to the Report Server from the WAP server. 如果 WAP 伺服器位於 DMZ 中,您可能需要使用完整網域名稱。If the WAP server is in a DMZ, you may need to use a fully qualified domain name. 請確定您可以在 WAP 伺服器上從網頁瀏覽器叫用這個 URL。Make sure you can hit this URL from the web browser on the WAP server.
BackendServerAuthenticationSPNBackendServerAuthenticationSPN 這是建立為 Reporting Services 設定一部分的 SPN。This is the SPN you created as part of the Reporting Services configuration.

設定 WAP 應用程式的整合式驗證Setting Integrated Authentication for the WAP Application

新增 WAP 應用程式之後,需要設定 BackendServerAuthenticationMode 使用 IntegratedWindowsAuthentication。After you add the WAP Application, you will need to set the BackendServerAuthenticationMode to use IntegratedWindowsAuthentication. 若要進行這項設定,您需要來自 WAP 應用程式的識別碼。In order to set this, you need the ID from the WAP Application.

Get-WebApplicationProxyApplication “Contoso Reports” | fl

執行下列命令,使用 WAP 應用程式的識別碼來設定 BackendServerAuthenticationMode。Run the following command to set the BackendServerAuthenticationMode using the ID of the WAP Application.

Set-WebApplicationProxyApplication -id 30198C7F-DDE4-0D82-E654-D369A47B1EE5 -BackendServerAuthenticationMode IntegratedWindowsAuthentication

與 Power BI 行動裝置應用程式連接Connecting with the Power BI Mobile App

在 Power BI 行動裝置應用程式內,您會想要連接至 Reporting Services 執行個體。Within the Power BI mobile app, you will want to connect to your Reporting Services instance. 若要這樣做,請提供 WAP 應用程式的外部 URLTo do that, supply the External URL for your WAP Application.

選取 [連接] 時,系統會將您導向至 ADFS 登入頁面。When you select Connect, you will be directed to your ADFS login page. 請輸入您網域的有效認證。Enter valid credentials for your domain.

選取 [登入] 後,將會看到來自 Reporting Services 伺服器的項目。After you select Sign in, you will see the elements from your Reporting Services server.

Multi-Factor AuthenticationMulti-factor authentication

您可以啟用 Multi-Factor Authentication 來啟用環境的額外安全性。You can enable multi-factor authentication to enable additional security for your environment. 若要深入了解,請參閱 Configure AD FS 2016 and Azure MFA (設定 AD FS 2016 和 Azure MFA)。To learn more, see Configure AD FS 2016 and Azure MFA.

疑難排解Troubleshooting

您收到「無法登入 SSRS 伺服器」錯誤。請確認伺服器設定。You receive the error Failed to login to SSRS server. Please verify server configuration.

您可以設定 Fiddler 作為您行動裝置的 Proxy,來查看提出它的要求有多遠。You can set up Fiddler to act as a proxy for your mobile devices to see how far the request made it. 若要啟用手機裝置的 Fiddler Proxy,您需要在執行 Fiddler 的電腦上設定 CertMaker for iOS and AndroidTo enable a Fiddler proxy for your phone device, you will need to setup the CertMaker for iOS and Android on the machine running Fiddler. 這是 Telerik for Fiddler 的附加元件。This is an add-on from Telerik for Fiddler.

如果使用 Fiddler 時登入成功,您可能會有 WAP 應用程式或 ADFS 伺服器的憑證問題。If the sign in works successfully when using Fiddler, you may have a certificate issue with either the WAP application or the ADFS server. 您可以使用 Microsoft Message Analyzer 這類工具確認憑證是否有效。You can use a tool such as Microsoft Message Analyzer to verify if the certificates are valid.

後續步驟Next steps

為報表伺服器註冊服務主體名稱 (SPN)Register a Service Principal Name (SPN) for a Report Server
修改 Reporting Services 設定檔Modify a Reporting Services Configuration File
設定報表伺服器上的 Windows 驗證Configure Windows Authentication on a Report Server
Active Directory Federation ServicesActive Directory Federation Services
Web Application Proxy in Windows Server 2016 (Windows Server 2016 中的 Web 應用程式 Proxy)Web Application Proxy in Windows Server 2016
Publishing Applications using AD FS Preauthentication (使用 AD FS 預先驗證發行應用程式)Publishing Applications using AD FS Preauthentication
Configure AD FS 2016 and Azure MFA (設定 AD FS 2016 和 Azure MFA)Configure AD FS 2016 and Azure MFA
有其他問題嗎?More questions? 試試 Power BI 社群Try the Power BI Community