I understand you are using the Kerberos Constraint Delegation. There are two ways to do it, the "classic/legacy" way and the RCBD way, which on is it? Can you describe more in details what is the domain configuration and what version of Windows Servers WAP, AD FS, DC and the actual application servers are running?
AD FS WIA web app authentication for external users
I have a requirement to allow users in two external domains to authentication with Power BI report server. The Power BI server is self-hosted.
Power BI uses WIA and I have been able to configure AD FS to authenticate to it via a web application proxy.
However, an external domain that I created to test one of the two external user domains that are part of the requirement cannot authenticate. I hope the screen snippet below, from the WAP in the domain containing the Power BI server explains what I am seeing.
If a user enters the public address of the WAP application, selects the external domain, authenticates with it the WAP in the Power BI containing domain logs a password error. The error is logged against the userid that was authenticated by the external domain.
I think everything is correct -- but my question is, what do I need to do in the Power BI-owning domain to permit users authenticated by AD FS to access a WIA, pre-authentication web app in the target domain?
Appreciate any advice.
Sign in to comment
Sort by: Most helpful