‘Setting up PowerBI Report Server SPN’ in hybrid environments when the PowerBI cloud service is not <yet> an option in an organization. This article will go through SPN commands, to secure via Kerberos authentication and/or smart card usage for Security requirements (i.e. STIG, CCRI, SOX, HIPAA, PCI, Security Scans, <insert other regulatory requirements here>). Lastly, PowerBI Report Server can be setup to run parallel to SSRS SQL instance. Refer to SPN commands below which helped me setup SmartCards authentication based on SPN setup.
Find/replace
DOMAIN
POWERBIREPORTSERVER
FQDN
svc.PowerBI.scomda
svc.PowerBI.scomdr
SPN commands to set up SQL & PowerBI
Create SPN for PowerBI Report Server
# RE: PBIRS SPN’s
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”
Create PowerBi Report Server SPN’s for OLAP
# PBIRS & MSSQL
# Remove the SPN’s for SQL on Report Server
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER POWERBIREPORTSERVER
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER.FQDN POWERBIREPORTSERVER
Create PowerBI Report Server SPN for service/gMSA account
setspn -d HTTP/POWERBIREPORTSERVER.FQDN:443 DOMAIN\svc.PowerBI.scomdr
setspn -d HTTP/POWERBIREPORTSERVER:443 DOMAIN\svc.PowerBI.scomdr
Create SQL SPN’s for SSRS reporting
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”
Create SQL HTTP SPN’s for SSRS reporting
setspn -s HTTP/reports.FQDN DOMAIN\svc.PowerBI.scomdr
setspn -s HTTP/reports DOMAIN\svc.PowerBI.scomdr
Lastly, test authentications to PowerBI server…
Verify PBIRS (PowerBI Report Server) log file for ReportServerService_HTTP_ entries after successful auth
File PATH = D:\Program Files\Microsoft Power BI Report Server\PBIRS\LogFiles
Documentation
PowerBI with Service Principal https://powerbi.microsoft.com/en-us/blog/use-power-bi-api-with-service-principal-preview/
Configure Kerberos SSO https://learn.microsoft.com/en-us/power-bi/connect-data/service-gateway-sso-kerberos