Use Kerberos for SSO to SAP HANA

This article describes how to configure your SAP HANA data source to enable single sign-on (SSO) from the Power BI service.

Important

Because SAP no longer supports OpenSSL, Microsoft has also discontinued its support. Your existing connections continue to work but you can no longer create new connections. Use SAP Cryptographic Library (CommonCryptoLib), or sapcrypto, instead.

Note

Before you attempt to refresh an SAP HANA-based report that uses Kerberos SSO, complete the steps in both this article and Configure Kerberos-based SSO.

Enable SSO for SAP HANA

To enable SSO for SAP HANA, complete the following steps:

  1. Ensure the SAP HANA server is running the required minimum version, which depends on your SAP HANA server platform level:

  2. On the gateway computer, install the latest SAP HANA ODBC driver. The minimum version is HANA ODBC version 2.00.020.00 from August 2017.

  3. Ensure that the SAP HANA server has been configured for Kerberos-based SSO. For more information about setting up SSO for SAP HANA by using Kerberos, see Single sign-on using Kerberos. Also see the links from that page, particularly SAP Note 1837331 – HOWTO HANA DBSSO Kerberos/Active Directory.

We also recommend following these extra steps, which can yield a small performance improvement:

  1. In the gateway installation directory, look for and open this configuration file: Microsoft.PowerBI.DataMovement.Pipeline.GatewayCore.dll.config.

  2. Look for the FullDomainResolutionEnabled property and change its value to True.

    <setting name=" FullDomainResolutionEnabled " serializeAs="String">
          <value>True</value>
    </setting>
    
  3. Run a Power BI report.

Troubleshoot

This section provides instructions for troubleshooting using Kerberos for single sign-on (SSO) to SAP HANA in the Power BI service. By using these troubleshooting steps, you can self-diagnose and correct many issues you might be facing.

To follow the steps in this section, you need to collect gateway logs.

TLS/SSL error (certificate)

This issue has multiple symptoms.

  • When you try to add a new data source, you might see an error like the following message:

    Unable to connect: We encountered an error while trying to connect to.
    Details: "We could not register this data source for any gateway
    instances within this cluster.
    Please find more details below about specific errors for each gateway instance."
    
  • When you try to create or refresh a report, you might see the following error message:

    Screenshot of a 'Cannot load model' troubleshooting TLS/SSL error window.

  • When you investigate the Mashup[date]*.log, you see the following error message:

    A connection was successfully established with the server, 
    but then an error occurred during the login process and 
    the certificate chain was issued by an authority that is not trusted.
    

Resolution

To resolve this TLS/SSL error, go to the data source connection. Then, in the Validate Server Certificate section, disable the setting, as shown in the following image:

 Screenshot of resolving TLS/SSL error window by disabling the certificate.

After you've disabled this setting, the error message no longer appears.

Impersonation

Log entries for impersonation contain entries similar to:

About to impersonate user DOMAIN\User (IsAuthenticated: True, ImpersonationLevel: Impersonation).

The important element in this log entry is the information that's displayed after the ImpersonationLevel: entry. Any value different from Impersonation reveals that impersonation isn't occurring properly.

Resolution

You can set up ImpersonationLevel properly by following the instructions in Grant the gateway service account local policy rights on the gateway.

After you've changed the configuration file, restart the gateway service for the change to take effect.

Validation

Refresh or create the report, and then collect the gateway logs. Open the most recent GatewayInfo file and check the following string: About to impersonate user DOMAIN\User (IsAuthenticated: True, ImpersonationLevel: Impersonation). Make sure that the ImpersonationLevel setting returns Impersonation.

Delegation

Delegation issues usually appear in the Power BI service as generic errors. To make sure that the issue isn't a delegation issue, collect Wireshark traces and use Kerberos as a filter. To learn more about Wireshark, and for information about Kerberos errors, see Kerberos errors in network captures.

The following symptoms and troubleshooting steps can help remedy some common issues.

SPN issues

If you see the following error: The import [table] matches no exports. Did you miss a module reference?: while investigating the Mashup[date]*.log, then you're experiencing service principal name (SPN) issues.

When you investigate further by using Wireshark traces, you reveal the error KRB4KDC_ERR_S_PRINCIPAL_UNKOWN, which means that the SPN wasn't found or doesn't exist. The following image shows an example:

Screenshot showing a service principal name error.

Resolution

To resolve SPN issues like this one, you must add an SPN to a service account. For more information, see the SAP documentation in Configure Kerberos for SAP HANA database Hosts.

In addition, follow the resolution instructions described in the next section.

No credentials issues

There might not be clear symptoms associated with this issue. When you investigate the Mashup[date]*.log, you see the following error:

29T20:21:34.6679184Z","Action":"RemoteDocumentEvaluator/RemoteEvaluation/HandleException","HostProcessId":"1396","identity":"DirectQueryPool","Exception":"Exception:\r\nExceptionType: Microsoft.Mashup.Engine1.Runtime.ValueException, Microsoft.MashupEngine, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35\r\nMessage:

When you investigate the same file further, the following (unhelpful) error appears:

No credentials are available in the security package

Capturing Wireshark traces reveals the following error: KRB5KDC_ERR_BADOPTION.

Screenshot showing a 'No credentials error'.

Usually, these errors mean that the SPN hdb/hana2-s4-sso2.westus2.cloudapp.azure.com file could be found but isn't in the Services to which this account can present delegated credentials list on the Delegation pane in the gateway service account.

Resolution

To resolve the No credentials issue, follow the steps described in Configure Kerberos constrained delegation. When completed properly, the Delegation pane in the gateway service account reflects the HansaWorld Database (HDB) file and fully qualified domain name (FQDN) in the list of Services to which this account can present delegated credentials.

Validation

Following the preceding steps should resolve the issue. If you still experience Kerberos issues, you might have a misconfiguration in the Power BI gateway or in the HANA server itself.

Credentials errors

If you experience credentials errors, errors in the logs or traces expose errors that describe Credentials are invalid or similar errors. These errors might manifest differently on the data source side of the connection, such as SAP HANA. The following image shows an example error:

Screenshot showing an invalid credentials error.

Symptom 1

In HANA authentication traces, you might see entries similar to the following message:

[Authentication|manager.cpp:166] Kerberos: Using Service Principal 
Name [email protected]@CONTOSO.COM with name type: GSS_KRB5_NT_PRINCIPAL_NAME 
[Authentication|methodgssinitiator.cpp:367] Got principal name: 
[email protected]@CONTOSO.COM

Resolution

Follow the instructions described in Set user-mapping configuration parameters on the gateway machine, even if you've already configured the Microsoft Entra Connect service.

Validation

After you've completed the validation, you can successfully load the report in the Power BI service.

Symptom 2

In HANA authentication traces, you might see entries similar to the following entry:

Authentication ManagerAcceptor.cpp(00233) : Extending list of expected
external names by [email protected] (method: GSS) Authentication 
AuthenticationInfo.cpp(00168) : ENTER getAuthenticationInfo 
([email protected]) Authentication AuthenticationInfo.cpp(00237) : 
Found no user with expected external name!

Resolution

Check the Kerberos external ID under HANA User to determine whether the IDs match properly.

Validation

After you've resolved the issue, you can create or refresh reports in the Power BI service.

For more information about the on-premises data gateway and DirectQuery, see the following resources: