Error connecting from Power Bi to Atscale via "SQL Server Analysis Services"

[alex4vk]

Unable to set up Power Bi connection to Atscale via "SQL Server Analysis Services".

When connecting using Windows authorization, an error occurs:

Connecting via Excel using the "From Analysis Services" connector - works, but only through basic authorization. When you select "Use Windows Authentication" does not connect.

Atscale has domain authorization configured.

In "Directory" -> "Test Configuration" domain users and their groups are available.

Authorization under a domain user and password in Atscale - works. Domain users have all the roles "Runtime Query User", "Organization Admin", "Design Center User" added.

What other settings might be required?

Atscale version 2021.3.0.3934 PowerBi Version 2.102.845.0

[alex4vk]

Addition to the description of the problem.

Only one user (admin) has been added to Atscale itself. At the same time, authorization of any domain users passes without errors.

Connecting the "From Analysis Services" data source in Excel also runs without errors (with a domain account "user"):

When connected via PowerBi, "Analysis Services" data source, next behavior:

If you intentionally enter a non-existent account, an error occurs that the authorization failed. The same error occurs if you enter an account in the "user" format (without a domain):

When entering an account in the format "teccod.ru\user", the error indicated in the first comment appears:

[alex4vk]

The Atscale log shows the following entries before the "Microsoft.Analysisservices.AdomdClient.NamespacesMgr" error occurs.

If you select the option "Use my current credentials":

Error in log: (located in /opt/atscale/log/engine/debug.log)

2022-08-08 09:21:37,248 DEBUG [http-system-akka.actor.default-dispatcher-6] {} com.atscale.engine.http.EngineHttpAuthenticator - Would check HTTP credentials but none were provided
2022-08-08 09:21:37,258 DEBUG [atscale-akka.actor.ntlm-ldap-dispatcher-229422] {} com.atscale.engine.security.ActiveDirectoryActor - NTLM Type1 Connect & Bind completed after 2,11 ms
2022-08-08 09:21:37,266 DEBUG [atscale-akka.actor.ntlm-ldap-dispatcher-229423] {} com.atscale.engine.security.ActiveDirectoryActor - NTLM Type3 Bind failed after 1,51 ms
2022-08-08 09:21:37,266 WARN  [atscale-akka.actor.ntlm-ldap-dispatcher-229423] {} com.atscale.engine.security.ActiveDirectoryActor - Error while trying to authorize NTLM against LDAP: 8009030C: LdapErr: DSID-0C090585, comment: AcceptSecurityContext error, data 52e, v4f7c
com.unboundid.ldap.sdk.LDAPBindException: 8009030C: LdapErr: DSID-0C090585, comment: AcceptSecurityContext error, data 52e, v4f7c
        at com.unboundid.ldap.sdk.LDAPConnection.bind(LDAPConnection.java:2401)
        at com.atscale.engine.security.ActiveDirectoryActor.$anonfun$authorizeNtlmLdapChallengeResponse$2(ActiveDirectoryManager.scala:441)
        at org.gerweck.scala.util.timed$.apply(timed.scala:18)
        at com.atscale.engine.security.ActiveDirectoryActor.$anonfun$authorizeNtlmLdapChallengeResponse$1(ActiveDirectoryManager.scala:441)
        at scala.concurrent.impl.Promise$Transformation.run(Promise.scala:467)
        at akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:63)
        at akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:100)
        at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.scala:18)
        at scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:94)
        at akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:100)
        at akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:49)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:829)
2022-08-08 09:21:37,273 DEBUG [http-system-akka.actor.default-dispatcher-13] {} com.atscale.engine.http.EngineHttpAuthenticator - Would check HTTP credentials but none were provided

If you select the "Use alternate credentials" option and enter an account with a domain name:

Error in log: (located in /opt/atscale/log/engine/debug.log)

2022-08-08 09:23:23,318 DEBUG [http-system-akka.actor.default-dispatcher-7] {} com.atscale.engine.http.EngineHttpAuthenticator - Would check HTTP credentials but none were provided

If you enter an account without a domain (e.g. "user"), there are no connection entries in the log.

[carmenlogue73]

I talked to AtScale support today about this today -- and since you found that Excel does not work with Windows Authentication, this points to something not get passed through or some misconfiguration of LDAP configuration or settings. Can you confirm that Windows Authorization is enabled on the AD server? We are working on this with a customer so will update here as we learn more.

[psteiwer]

Did you configure AtScale to use Windows Authentication?

Enabling Windows authentication

Log in to AtScale.
Go to Settings > Engine.
Locate the auth.ntlm.enabled setting and enable it.

[alex4vk]

Thanks for the comments!

@carmenlogue73 Windows authorization on the AD server must be enabled. How can we check its work? We are using Windows Server 2022 Standard. Authorization via LDAP in Atscale works. Authorization from another workstation in the domain passes without errors. Below is an example of NTLM settings in group policies:

@psteiwer Yes, it's not mentioned in the description above, but the setting "auth.ntlm.enabled" was enabled. Atscale Engine has been restarted after being powered on. But the connection error still remains.