This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 43%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
I have a requirement to allow users in two external domains to authentication with Power BI report server. The Power BI server is self-hosted.
Power BI uses WIA and I have been able to configure AD FS to authenticate to it via a web application proxy.
However, an external domain that I created to test one of the two external user domains that are part of the requirement cannot authenticate. I hope the screen snippet below, from the WAP in the domain containing the Power BI server explains what I am seeing.
If a user enters the public address of the WAP application, selects the external domain, authenticates with it the WAP in the Power BI containing domain logs a password error. The error is logged against the userid that was authenticated by the external domain.
I think everything is correct -- but my question is, what do I need to do in the Power BI-owning domain to permit users authenticated by AD FS to access a WIA, pre-authentication web app in the target domain?
Appreciate any advice.
I understand you are using the Kerberos Constraint Delegation. There are two ways to do it, the "classic/legacy" way and the RCBD way, which on is it? Can you describe more in details what is the domain configuration and what version of Windows Servers WAP, AD FS, DC and the actual application servers are running?