Setting up PowerBI Report Server SPN

Ah - 'Setting up PowerBI Report Server SPN's for PowerBI and SQL to help securely communicate and authenticate.
Ah – ‘Setting up PowerBI Report Server SPN’s for PowerBI and SQL to help securely communicate and authenticate.

‘Setting up PowerBI Report Server SPN’ in hybrid environments when the PowerBI cloud service is not <yet> an option in an organization.  This article will go through SPN commands, to secure via Kerberos authentication and/or smart card usage for Security requirements (i.e. STIG, CCRI, SOX, HIPAA, PCI, Security Scans, <insert other regulatory requirements here>).  Lastly, PowerBI Report Server can be setup to run parallel to SSRS SQL instance.  Refer to SPN commands below which helped me setup SmartCards authentication based on SPN setup.

 

Find/replace

DOMAIN

POWERBIREPORTSERVER

FQDN

svc.PowerBI.scomda

svc.PowerBI.scomdr

 

 

SPN commands to set up SQL & PowerBI

Create SPN for PowerBI Report Server

# RE: PBIRS SPN’s
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”

 

Create PowerBi Report Server SPN’s for OLAP

# PBIRS & MSSQL
# Remove the SPN’s for SQL on Report Server
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER POWERBIREPORTSERVER
setspn -d MSOLAPSvc.3/POWERBIREPORTSERVER.FQDN POWERBIREPORTSERVER

 

Create PowerBI Report Server SPN for service/gMSA account

setspn -d HTTP/POWERBIREPORTSERVER.FQDN:443 DOMAIN\svc.PowerBI.scomdr
setspn -d HTTP/POWERBIREPORTSERVER:443 DOMAIN\svc.PowerBI.scomdr

 

Create SQL SPN’s for SSRS reporting

SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER.FQDN” “DOMAIN\svc.PowerBI.scomda”
SetSPN -s “MSSQLSvc/POWERBIREPORTSERVER” “DOMAIN\svc.PowerBI.scomda”

 

Create SQL HTTP SPN’s for SSRS reporting

setspn -s HTTP/reports.FQDN DOMAIN\svc.PowerBI.scomdr
setspn -s HTTP/reports DOMAIN\svc.PowerBI.scomdr

 

Lastly, test authentications to PowerBI server…

Verify PBIRS (PowerBI Report Server) log file for ReportServerService_HTTP_ entries after successful auth

File PATH = D:\Program Files\Microsoft Power BI Report Server\PBIRS\LogFiles

 

Documentation

PowerBI with Service Principal https://powerbi.microsoft.com/en-us/blog/use-power-bi-api-with-service-principal-preview/

Configure Kerberos SSO https://learn.microsoft.com/en-us/power-bi/connect-data/service-gateway-sso-kerberos

Leave a Reply

Your email address will not be published. Required fields are marked *