設定 Kerberos 使用 Power BI 報表Configure Kerberos to use Power BI reports

了解如何設定報表伺服器進行資料來源的 Kerberos 驗證,這些是用在分散式環境 Power BI 報表內的資料來源。Learn how to configure your report server for Kerberos authentication to data sources used within your Power BI reports for a distributed environment.

Power BI 報表伺服器能夠裝載 Power BI 報表。Power BI Report Server includes the ability to host Power BI reports. 報表伺服器支援許多資料來源。Many data sources are supported by your report server. 雖然這篇文章特別著重於 SQL Server Analysis Services,您可以使用概念並套用到其他資料來源,例如 SQL Server。While this article focuses specificly on SQL Server Analysis Services, you can use the concepts and apply that to other data sources such as SQL Server.

您可以在單一電腦上安裝 Power BI 報表伺服器、SQL Server 和 Analysis Services,一切運作應如常,不需要額外的設定。You can install Power BI Report Server, SQL Server and Analysis Services on a single machine and everything should work without additional configuration. 這非常適合測試環境。This is great for a test environment. 如果將這些服務安裝在不同的機器上,也就是所謂的分散式環境,可能會發生錯誤。You may hit errors if you have these services installed on separate machines which is called a distributed environment. 在此環境中,您需要使用 Kerberos 驗證。In this environment, you are required to use Kerberos authentication. 實作此作業有必要的設定。There is configuration required to implement this.

具體而言,將需要設定限制委派。Specifically, you will need to configure constrained delegation. 您的環境中可能已設定 Kerberos,但它也許未設定限制委派。You may have Kerberos configured in your environment but it may not be configured for constrained delegation.

執行報表時發生錯誤Error running report

如未正確設定報表伺服器,您可能會收到下列錯誤。If your report server is not configured properly, you may receive the following error.

Something went wrong.

We couldn’t run the report because we couldn’t connect to its data source. The report or data source might not be configured correctly. 

在 [技術性詳細資料] 中您會看見下列訊息。Within Technical details, you will see the following message.

We couldn’t connect to the Analysis Services server. The server forcibly closed the connection. To connect as the user viewing the report, your organization must have configured Kerberos constrained delegation.

設定 Kerberos 限制委派Configuring Kerberos constrained delegation

有數個項目必須設定,Kerberos 限制委派才能運作。There are several items that need to be configured in order for Kerberos constrained delegation to work. 這包括服務帳戶的服務主體名稱 (SPN) 和委派設定。This includes Service Principal Names (SPN) and delegation settings on service accounts.

注意

為設定 SPN 和委派設定,您必須是網域系統管理員。In order to configure SPNs and delegation settings, you need to be a domain administrator.

我們需要設定或驗證下列內容。We will need to configure, or validate, the following.

  1. 報表伺服器設定中的驗證類型。Authentication type within Report Server config.
  2. 報表伺服器服務帳戶的 SPN。SPNs for the report server service account.
  3. Analysis Services 服務的 SPN。SPNs for the Analysis Services service.
  4. Analysis Services 電腦上 SQL Browser 服務的 SPN。SPNs for the SQL Browser service on the Analysis Services machine. 這僅限具名執行個體。This is for named instances only.
  5. 報表伺服器服務帳戶的委派設定。Delegation settings on the report server service account.

報表伺服器設定內的驗證類型Authentication type within Report Server configuration

我們需要設定報表伺服器的驗證類型,以執行 Kerberos 限制委派。We need to configure the authentication type for the report server to allow for Kerberos constrained delegation. 這是在 rsreportserver.config 檔案內完成。This is done within the rsreportserver.config file. 此檔案的預設位置是 C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServerThe default location for this file is C:\Program Files\Microsoft Power BI Report Server\PBIRS\ReportServer.

在 rsreportserver.config 檔案中,您會想要精確 Authentication/AuthenticationTypes 區段。Within the rsreportserver.config file, you will want to fine the Authentication/AuthenticationTypes section.

我們想要確定 RSWindowsNegotiate 是列在驗證類型清單中的第一個。We want to make sure that RSWindowsNegotiate is listed and the first in the list of authentication types. 它看起來應該如下所示。It should look similar to the following.

<AuthenticationTypes>
    <RSWindowsNegotiate/>
    <RSWindowsNTLM/>
</AuthenticationTypes>

如果先前必須變更組態檔,您會想要停止並啟動報表伺服器,確定變更生效。If you had to change the configuration file, you will want to stop and start the report server to make sure the changes take effect.

如需詳細資訊,請參閱 Configure Windows Authentication on the Report Server (在報表伺服器上設定 Windows 驗證)。For more information, see Configure Windows Authentication on the Report Server.

報表伺服器服務帳戶的 SPNSPNs for the report server service account

接下來,我們需要確定報表伺服器是否有可用的有效 SPN。Next, we need to make sure that the report server has valid SPNs available. 這是以針對報表伺服器設定的服務帳戶為根據。This is based on the service account that is configured for the report server.

虛擬服務帳戶或網路服務Virtual Service Account or Network Service

如果您的報表伺服器已針對虛擬服務帳戶或網路服務帳戶進行設定,您就不必採取任何動作。If your report server is configured for the Virtual Service Account or Network Service account, you should not have to do anything. 這些都在電腦帳戶的內容中。These are in the context of the machine account. 電腦帳戶預設會有主機 SPN。The machine account will have HOST SPNs by default. 這些會涵蓋 HTTP 服務並為報表伺服器所用。These will cover the HTTP service and will be used by the report server.

如果您使用的是和電腦帳戶不同的虛擬伺服器名稱,主機項目將不會涵蓋您,而且您需要手動新增該虛擬伺服器主機名稱的 SPN。If you are using a virtual server name, one that is not same as the machine account, the HOST entries will not cover you and you will need to manually add the SPNs for the virtual server host name.

網域使用者帳戶Domain user account

如果您的報表伺服器設定為使用網域使用者帳戶,您即必須對該帳戶手動建立 HTTP SPN。If your report server is configured to use a domain user account, you will have to manually create HTTP SPNs on that account. 這可以使用隨附於 Windows 的 setspn 工具來完成。This can be done using the setspn tool that comes with Windows.

注意

您需要有網域系統管理員的權限才能建立 SPN。You will need domain admin rights in order to create the SPN.

建議您建立兩個 SPN。It is recommended to create two SPNs. 一個使用 NetBIOS 名稱,另一個使用完整的網域名稱 (FQDN)。One with the NetBIOS name and the other with the fully qualified domain name (FQDN). SPN 的格式應該如下。The SPN will be in the following format.

<Service>/<Host>:<port>

Power BI 報表伺服器會使用 HTTP 服務。Power BI Report Server will use a Service of HTTP. HTTP SPN 不會列出連接埠。For HTTP SPNs you will not list a port. 在此,我們在意的服務是 HTTP。The service we are interested in here is HTTP. SPN 主機會是您在 URL 中使用的名稱。The host of the SPN will be the name you use in a URL. 一般會是電腦名稱。Typically, this is the machine name. 如果您在負載平衡器後方,這可能是虛擬名稱。If you are behind a load balancer, this may be a virtual name.

注意

您可以查看在瀏覽器中的網址列中輸入的內容,或查看入口網站 [URL] 索引標籤上的報表伺服器設定管理員,來驗證 URL。You can verify the URL by either looking at what you enter into the address bar of the browser, or you can look in the Report Server Configuration Manager on the Web Portal URL tab.

如果您的電腦名稱是 ContosoRS,則 SPN 可能如下。If your machine name is ContosoRS, your SPNs would be the following.

SPN 類型SPN Type SPNSPN
完整網域名稱 (FQDN)Fully Qualified Domain Name (FQDN) HTTP/ContosoRS.contoso.comHTTP/ContosoRS.contoso.com
NetBIOSNetBIOS HTTP/ContosoRSHTTP/ContosoRS

SPN 的位置Location of SPN

所以,您把 SPN 放在哪兒呢?So, where do you put the SPN? SPN 會放在您使用服務帳戶的任何位置。The SPN will be placed on whatever you are using for your service account. 如果您使用的是虛擬服務帳戶或網路服務,這就是電腦帳戶。If you are using Virtual Service Account or Network Service, this will be the machine account. 雖然我們之前說過,您只需要為虛擬 URL執行這項操作。Although we mentioned before you should only need to do this for a virtual URL. 如果您使用報表伺服器服務帳戶的網域使用者,則 SPN 會放在該網域使用者的帳戶上。If you are using a domain user for the report server service account, then you will place the SPN on that domain user account.

例如,如果我們使用網路服務帳戶,而我們的電腦名稱是 ContosoRS,則我們會將 SPN 放在 ContosoRS 上。For example, if we are using the Network Service account and our machine name is ContosoRS, we would place the SPN on ContosoRS.

如果我們使用 RSService 的網域使用者帳戶,則會將 SPN 放在 RSService 上。If we are using a domain user account of RSService, we would place the SPN on RSService.

使用 SetSPN 新增 SPNUsing SetSPN to add the SPN

我們可以使用 SetSPN 工具新增 SPN。We can use the SetSPN tool to add the SPN. 電腦帳戶和網域使用者帳戶會完全遵循上例。We will follow the same example as above with the Machine account and the domain user account.

如果我們使用 contosoreports 的虛擬 URL,FQDN 和 NetBIOS SPN 將 SPN 放在電腦帳戶上會看起來如下。Placing the SPN on a machine account, for both the FQDN and NetBIOS SPN, would look similar to the following if we were using a virtual URL of contosoreports.

  Setspn -a HTTP/contosoreports.contoso.com ContosoRS
  Setspn -a HTTP/contosoreports ContosoRS

如果 SPN 主機使用電腦名稱,FQDN 和 NetBIOS SPN 將 SPN 放在網域使用者帳戶上看起來如下。Placing the SPN on a domain user account, for both the FQDN and NetBIOS SPN, would look similar to the following if you were using the machine name for the host of the SPN.

  Setspn -a HTTP/ContosoRS.contoso.com RSService
  Setspn -a HTTP/ContosoRS RSService

Analysis Services 服務的 SPNSPNs for the Analysis Services service

Analysis Services 的 SPN 和我們對 Power BI 報表伺服器做過的類似。The SPNs for Analysis Services are similar to what we did with Power BI Report Server. 如果您擁有具名執行個體,SPN 格式會略有不同。The format of the SPN is a little different if you have a named instance.

我們在 Analysis Services 使用的是 MSOLAPSvc.3 服務。For Analysis Services, we use a Service of MSOLAPSvc.3. 我們會在 SPN 上指定連接埠位置的執行個體名稱。We will specify the instance name for the port location on the SPN. SPN 的主機部分會是電腦名稱或叢集虛擬名稱。The host part of the SPN will either be the machine name, or the Cluster virtual name.

Analysis Services SPN 的範例看起來如下。An example of an Analysis Services SPN would look like the following.

類型Type 格式Format
預設執行個體Default instance MSOLAPSvc.3/ContosoAS.contoso.comMSOLAPSvc.3/ContosoAS.contoso.com
MSOLAPSvc.3/ContosoASMSOLAPSvc.3/ContosoAS
具名執行個體Named instance MSOLAPSvc.3/ContosoAS.contoso.com:INSTANCENAMEMSOLAPSvc.3/ContosoAS.contoso.com:INSTANCENAME
MSOLAPSvc.3/ContosoAS:INSTANCENAMEMSOLAPSvc.3/ContosoAS:INSTANCENAME

SPN 的放置也類似前面提及的 Power BI 報表伺服器內容。Placement of the SPN is also similar to what was mentioned with Power BI Report Server. 它是以服務帳戶為基礎。It is based on the service account. 如果您使用本機系統或網路服務,則是在電腦帳戶的內容中。If you are using Local System or Network Service, you will be in the context of the machine account. 如果您使用 Analysis Services 執行個體的網域使用者帳戶,則 SPN 會放在該網域使用者的帳戶上。If you are using a domain user account for the Analysis Services instance, you will place the SPN on the domain user account.

使用 SetSPN 新增 SPNUsing SetSPN to add the SPN

我們可以使用 SetSPN 工具新增 SPN。We can use the SetSPN tool to add the SPN. 本例的電腦名稱會是 ContosoAS。For this example, the machine name will be ContosoAS.

FQDN 和 NetBIOS SPN 將 SPN 放在電腦帳戶上看起來如下。Placing the SPN on a machine account, for both the FQDN and NetBIOS SPN, would look similar to the following.

Setspn -a MSOLAPSvc.3/ContosoAS.contoso.com ContosoAS
Setspn -a MSOLAPSvc.3/ContosoAS ContosoAS

FQDN 和 NetBIOS SPN 將 SPN 放在網域使用者帳戶上看起來如下。Placing the SPN on a domain user account, for both the FQDN and NetBIOS SPN, would look similar to the following.

Setspn -a MSOLAPSvc.3/ContosoAS.contoso.com OLAPService
Setspn -a MSOLAPSvc.3/ContosoAS OLAPService

SQL Browser 服務的 SPNSPNs for the SQL Browser service

如果您有 Analysis Services 具名執行個體,您也需要確定有瀏覽器服務的 SPN。If you have an Analysis Services named instance, you also need to make sure you have an SPN for the browser service. 這對 Analysis services 而言是唯一的。This is unique to Analysis Services.

SQL Browser 的 SPN 和我們對 Power BI 報表伺服器做過的類似。The SPNs for SQL Browser are similar to what we did with Power BI Report Server.

我們在 SQL Browser 使用 MSOLAPDisco.3 服務。For SQL Browser, we use a Service of MSOLAPDisco.3. 我們會在 SPN 上指定連接埠位置的執行個體名稱。We will specify the instance name for the port location on the SPN. SPN 的主機部分會是電腦名稱或叢集虛擬名稱。The host part of the SPN will either be the machine name, or the Cluster virtual name. 您不必為執行個體名稱或連接埠指定任何內容。You do not have to specify anything for the instance name or port.

Analysis Services SPN 的範例看起來如下。An example of an Analysis Services SPN would look like the following.

MSOLAPDisco.3/ContosoAS.contoso.com
MSOLAPDisco.3/ContosoAS

SPN 的放置也類似前面提及的 Power BI 報表伺服器內容。Placement of the SPN is also similar to what was mentioned with Power BI Report Server. 此處的差異是 SQL Browser 一律在本機系統帳戶下執行。The difference here is that SQL Browser always runs under the Local System account. 這表示 SPN 一律會在電腦帳戶上。This means that the SPNs will always go on the machine account.

使用 SetSPN 新增 SPNUsing SetSPN to add the SPN

我們可以使用 SetSPN 工具新增 SPN。We can use the SetSPN tool to add the SPN. 本例的電腦名稱會是 ContosoAS。For this example, the machine name will be ContosoAS.

FQDN 和 NetBIOS SPN 將 SPN 放在電腦帳戶上看起來如下。Placing the SPN on the machine account, for both the FQDN and NetBIOS SPN, would look similar to the following.

Setspn -a MSOLAPDisco.3/ContosoAS.contoso.com ContosoAS
Setspn -a MSOLAPDisco.3/ContosoAS ContosoAS

如需詳細資訊,請參閱需要 SQL Server Browser 服務的 SPNFor more information, see An SPN for the SQL Server Browser service is required.

報表伺服器服務帳戶的委派設定Delegation settings on the report server service account

最後必須設定的部分是報表伺服器服務帳戶的委派設定。The last part that we have to configure are the delegation settings on the report server service account. 您可以使用不同的工具來執行這些步驟。There are different tools you can use to perform these steps. 為符合本文的目的,我們會緊守住 Active Directory 使用者和電腦。For the purposes of this document, we will stick with Active Directory Users and Computers.

您需要前往 Active Directory 使用者及電腦內的報表伺服器服務帳戶內容來啟動。You will need to start by going to the properties of the report server service account within Active Directory Users and Computers. 如果使用虛擬服務帳戶或網路服務,就會是電腦帳戶,不然就是網域使用者帳戶。This will either be the machine account, if you used Virtual Service Account or Network Service, or it will be a domain user account.

我們會想要使用通訊協定傳輸來設定限制委派。We will want to configure constrained delegation with protocol transiting. 使用限制委派,您需要明確讓我們委派的目標服務。With constrained delegation, you need to be explicit with which services we want to delegate to. 我們將要把 Analysis Services 服務 SPN 和 SQL Browser SPN 新增至 Power BI 報表伺服器可以委派的清單中。We will go and add both the Analysis Services service SPN and the SQL Browser SPN to the list that Power BI Report Server can delegate to.

  1. 以滑鼠右鍵按一下報表伺服器服務帳戶,然後選取 [內容]。Right click on the report server service account and select Properties.
  2. 選取 [委派] 索引標籤。Select the Delegation tab.
  3. 選取 [信任這台電腦,但只委派指定的服務]。Select Trust this computer for delegation to specified services only.
  4. 選取 [使用任何驗證通訊協定]。Select Use any authentication protocol.
  5. 在 [這個帳戶可以呈送委派認證的服務:] 下,選取 [新增]。Under the Services to which this account can present delegated credentials: select Add.
  6. 在新的對話方塊中,選取 [使用者或電腦]。In the new dialog, select Users or Computers.
  7. 輸入 Analysis Services 服務的服務帳戶,然後選取 [確定]。Enter the service account for the Analysis Services service and select Ok.
  8. 選取您建立的 SPN。Select the SPN that you created. 它的開頭為 MSOLAPSvc.3It will begin with MSOLAPSvc.3. 如果您新增了 FQDN 與 NetBIOS SPN,它就會兩個都選取。If you added both the FQDN and the NetBIOS SPN, it will select both. 您可能只會看到一個。You may only see one.
  9. 選取 [確定] 。Select OK. 您現在應該會在清單中看到 SPN。You should see the SPN in the list now.
  10. 或者,您可以選取 [展開] 來顯示清單中的 FQDN 和 NetBIOS SPN。Optionally, you can select Expanded to show both the FQDN and NetBIOS SPN in the list.
  11. 再次選取 [新增]。Select Add again. 現在我們要新增 SQL Browser SPN。We will add the SQL Browser SPN now.
  12. 在新的對話方塊中,選取 [使用者或電腦]。In the new dialog, select Users or Computers.
  13. 輸入 SQL Browser 服務所在電腦的電腦名稱,並選取 [確定]。Enter the Machine name for the machine the SQL Browser service is on and select Ok.
  14. 選取您建立的 SPN。Select the SPN that you created. 它的開頭為 MSOLAPDisco.3It will begin with MSOLAPDisco.3. 如果您新增了 FQDN 與 NetBIOS SPN,它就會兩個都選取。If you added both the FQDN and the NetBIOS SPN, it will select both. 您可能只會看到一個。You may only see one.
  15. 選取 [確定]。Select Ok. 如果選取 [展開],對話方塊應該如下。The dialog should look similar to the following if you checked Expanded.

  16. 選取 [確定]。Select Ok.
  17. 重新啟動 Power BI 報表伺服器。Reboot the Power BI Report Server.

執行 Power BI 報表Running a Power BI Report

上述所有設定都就緒後,您的報表應該會正確顯示。After all of the above configuration is in place, your report should display properly.

雖然此設定在使用 Kerberos 的大多數情況下都可行,但您可根據環境使用不同的設定。While this configuration should work in most cases, with Kerberos, there can be different configuration depending on your environment. 如果仍無法載入報表,請連絡您的網域系統管理員進一步調查,或連絡支援人員。If the report will still not load, you will want to reach out to your domain administrator to investigate further or contact support.

後續步驟Next steps

系統管理員手冊Administrator handbook
快速入門︰安裝 Power BI 報表伺服器Quickstart: Install Power BI Report Server

有其他問題嗎?More questions? 嘗試在 Power BI 社群提問Try asking the Power BI Community