Introduction

Recently I experienced some strange behavior on Power BI Report Server. My customer reported some failure when authenticating on shared data source using Kerberos delegation. On the test environment everything was working as expected and the delegation was working fine. Where as on the development server the delegation was not working at all. We had as well a comparable behavior on the production environment, but only sporadically. The same data source worked fine for one user and suddenly no more for another one, or for the same user one data source connection was accessible but another one was failing with the well known error:

Investigation

It was clear that it was a Kerberos delegation issue at first glance, therefore the first things you look at are the settings of your service account:
– Is “Trust for delegation” set
– If you use constraint delegation, check if you address the right services

After that, we double checked that the SPN’s were still correct. Everything was fine and set as it must be.

The next step was to check the configuration of the Power BI Report Server. So opening the Power BI Report Server Configuration Manager, I went through all the configuration settings here again everything seemed to be correct.

Having some experiences working with Reporting Services and now with Power BI Report Server, I knew that playing and changing with the URL settings of the Web Server and the Web portal might corrupt the rsreportserver.config file, especially if you use https configuration. If you don’t understand what I’m talking about, you will sooner or later, if you have to install and configure this application often.
Bingo, it was the first issue. There was still entries in the xml nodes that were no more valid.

In that case my way to go is to return to the Power BI Report Server Configfuration Manager et reset the URL configurations to a default ones, deleting the ones existing in the web service and the web portal and apply the changes. After that make sure that in rsreportserver.config your tag is limited to the following example. If not, stop first your Power BI Report Server service, make first a backup of your file, than clean it and save it.

 

<URLReservations>
	<Application>
		<Name>ReportServerWebService</Name>
		<VirtualDirectory>ReportServer</VirtualDirectory>
		<URLs>
			<URL>
				<UrlString>http://+:80</UrlString>
				<AccountSid>S-1-5-80-1730998386-2757299892-37364343-1607169425-3512908663</AccountSid>
				<AccountName>NT SERVICE\PowerBIReportServer</AccountName>
			</URL>
		</URLs>
	</Application>
	<Application>
		<Name>ReportServerWebApp</Name>
		<VirtualDirectory>Reports</VirtualDirectory>
		<URLs>
			<URL>
				<UrlString>http://+:80</UrlString>
				<AccountSid>S-1-5-80-1730998386-2757299892-37364343-1607169425-3512908663</AccountSid>
				<AccountName>NT SERVICE\PowerBIReportServer</AccountName>
			</URL>
		</URLs>
	</Application>
</URLReservations>

 

Make sure as well that at the end of the file you do not have a tag . If you have one, delete the whole tag from to the end of and save you file again.

…of course restart your Power BI Report Server service after that

Now that my configuration file was clean, I tried again to set up again my HTTPS configuration for my web service and web portal the configuration manager tool. When you do it, please look carefully at the scrolling messages at the bottom of the configuration manager to see if it the settings apply successfully. For me it was full of green lights and the end message as well.

But, do not miss to read carefully the warnings. Right at the beginning one message was warning that the URL could not be reserved, but the following one said the URL has been removed and the next one that it was reserved successfully. So why to worry!!?? Just because my issue with Kerberos was still not solved.

URL Reservation list

Therefore I decided to follow this strange warning and search information about reserved URL.
I found out the following command to execute to see what were the URL’s reserved on my server and discover all that were reserved by the user NT SERVICE\PowerBIReportServer.

netsh http show urlacl

Then again I reset my URL configurations and clean my rsreportserver.config file once more

Removing URL Reservation

This time I left my Power BI Report Server service stopped and removed manually all the reserved URL linked to the user NT SERVICE\PowerBIReportServer. You should find always 4 URL’s, one for the Web service with the folder you used (in mase case …/ReportServer), one for the Web Portal with the folder you defined (in…/Reports), another folder named /PowerBI and the last one /wopi.

netsh http delete urlacl https://yourserver.yourdomain.com:443/ReportServer/
netsh http delete urlacl https://yourserver.yourdomain.com:443/Reports/
netsh http delete urlacl https://yourserver.yourdomain.com:443/PowerBI/
netsh http delete urlacl https://yourserver.yourdomain.com:443/wopi/

You can remove all the URL leaving on the leave only the one
With +80 and +8083 in the URL.

Then start your configuration manager again et make the URL configuration looking at the scrolling messages at the bottom. Normally no warnings will be displayed anymore.

… and finally

Well, when I was finished, I tested again my data sources connections and by magic all worked perfectly and the delegation was successfully done.
I hope this post will help you and save you time, it took me some hours to figure out that the URL reservation was causing delegation issues.