AD FS WIA web app authentication for external users

yobyot 1 Reputation point
2022-11-09T16:12:37.6+00:00

I have a requirement to allow users in two external domains to authentication with Power BI report server. The Power BI server is self-hosted.

Power BI uses WIA and I have been able to configure AD FS to authenticate to it via a web application proxy.

However, an external domain that I created to test one of the two external user domains that are part of the requirement cannot authenticate. I hope the screen snippet below, from the WAP in the domain containing the Power BI server explains what I am seeing.

If a user enters the public address of the WAP application, selects the external domain, authenticates with it the WAP in the Power BI containing domain logs a password error. The error is logged against the userid that was authenticated by the external domain.

I think everything is correct -- but my question is, what do I need to do in the Power BI-owning domain to permit users authenticated by AD FS to access a WIA, pre-authentication web app in the target domain?

Appreciate any advice.

258786-adfs.png

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,208 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,740 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee
    2022-11-15T00:03:45.517+00:00

    I understand you are using the Kerberos Constraint Delegation. There are two ways to do it, the "classic/legacy" way and the RCBD way, which on is it? Can you describe more in details what is the domain configuration and what version of Windows Servers WAP, AD FS, DC and the actual application servers are running?

    0 comments No comments