Pre-requisites
Azure AD and On-prem domains need to be joined or have pass-through login enabled between the two.
If you log in to the Azure portal and look at Azure Active Directory, ensure the Azure AD Connect is enabled.
Review the property of the AD connect.
User sign-in option: Seamless single sign-on is enabled.
There might be some pushback from customers who don’t want to enable it for everyone in the AD. The workaround is to create a custom domain that only syncs with some users that have access to AtScale/PowerBI.
Create a custom domain in Azure and sync that with AtScale.
Once you have the domain set up, download Azure AD sync.
This scenario is using the AtScale custom domain, pbi.atscale.com
AtScale Configuration
Enable custom directory and point to the custom domain that you’ve created in Azure.
Depending on how the Azure login is set up, be sure to check the User Unique ID Attribute mapping to the PBI and Azure SSO. This will be highlighted later in the PBI Gateway deployment section.
In this example, we are logging into PBI using an email account.
Set up a service account with the impersonation role enabled to map to PBI Gateway login information.
Either create an impersonation role or assign a role directly to the service account.
Then in Role Assignments, assign user with the role.
The last step in AtScale is to enable NTLM in the engine.
PowerBI Login
Login to PowerBI. Downloads | Microsoft Power BI
After logging into PowerBI, go to PowerBI Services.
Make a note of what information got passed to AD for authentication.
PowerBI Gateway
Download the gateway from the top right corner of the user interface.
Choose to download the standard mode.
Configuring the Gateway
Sign in to the gateway using your Azure AD access credentials. Assign a service account to map to what you have created in AtScale.
This example is using the service-pbi-admin user.
It will take you to the create PBI Gateway session, after you enter the instance name. Ensure the instance name has no spaces/dashes/period—just alphabet.
Once you complete the Azure configuration, you can log in to the gateway on the desktop.
After login:
Change the service account running the PBI gateway and make sure it uses the login name assigned as the impersonation user in AtScale.
To change that, type service in the search bar and look for an on-premises data gateway.
And change the login:
Re-start services.
Create Connection
The last step is to set up the connection for your gateway.
You can set up the data source for the gateway.
The server URL can be copied from the AtScale connect string.
The database name is the Project Name, not the cube name.
Login credentials are the service account used in AtScale and setting up the gateway.
Publish Report
The final step is to publish the report to the workspace/ PowerBI services from the PowerBI Desktop.
Connect to AtScale using the Analysis Services data source.
With DAX, all connections would be SSO through NTLM for Analysis Services.
After you are done with the report, publish it to PowerBI Services.
When you review the report, you’ll see:
Impersonation by the service accounts for the user.
Troubleshooting
In the AtScale engine log, you should see a few runtime errors (if you get an error).
Scenario 1
2021-07-20 23:32:40,909 DEBUG [jndi-executor-77] {} com.atscale.engine.security.LdapUserDirectory - user filters: [base (&(objectClass=person)(sAMAccountName=*))] [supplemental Some(sAMAccountName=service-pbi-user)] [combined (&(&(objectClass=person)(sAMAccountName=*))(sAMAccountName=service-pbi-user))]
2021-07-20 23:32:40,921 INFO [atscale-akka.actor.default-dispatcher-29] {subject=service-pbi-user, user=service-pbi-admin, orgId=default, queryId=1224d248-62cb-4947-8bf0-6a04
2021-07-20 23:36:32,552 DEBUG [jndi-executor-79] {} com.atscale.engine.security.LdapUserDirectory - user filters: [base (&(objectClass=person)(sAMAccountName=*))] [supplemental Some(sAMAccountName=rudy.widjaja@atscale.com)] [combined (&(&(objectClass=person)(sAMAccountName=*))(sAMAccountName=rudy.widjaja@atscale.com))]
You need to capture the mapping between the AtScale login and what the PBI service account sends.
You can configure how PowerBI Gateway is sending the login back to AtScale so that you can adjust the mapping between sAMAccountName vs Principal Name
2021-07-20 23:32:22,485 DEBUG [jndi-executor-77] {} com.atscale.engine.security.LdapUserDirectory - user filters: [base (&(objectClass=person)(sAMAccountName=*))] [supplemental Some(sAMAccountName=service-pbi-admin)] [combined (&(&(objectClass=person)(sAMAccountName=*))(sAMAccountName=service-pbi-admin))]
You can try to re-map in AtScale security login from using sAMAccountName to userPrincipalName
To
Or you can change the PROXY user Attribute to “userPrincipalName” and keep the User Unique ID to sAMAccountName.
Because PowerBI Services (which is using uid+domain -> rudy.widjaja@atscale.com) will be sent to AtScale.
Error seen :
The error references the @hccm.com along with user, and changing the proxy user attribute from sAMAccountName to userPrincipalName worked fine.
Scenario 2
You can utilize domain mapping in the PowerBI data connector.
Scenario 3
Remapping the service gateway:
Edit Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config in C:\Program Files\On-premises data gateway
Add two entries:
<setting name=”ADUserNameLookupProperty” serializeAs=”String”>
<value>Email</value>
</setting>
<setting name=”ADUserNameReplacementProperty” serializeAs=”String”>
<value>UserPrincipalName</value>
</setting>