With the end of the IE support for Power Bi (and in general tbh), companies are scrambling finally to move their users from the legacy browser to modern ones; it was about time if you ask me.
However, there’s an edge case where using anything but IE is not as straightforward as it could be; in my case Power Bi RS worked fine for any report in any browser, except with direct query reports that were set up to authenticate via Windows Authentication as the user viewing the report:
In this case the browser should pass the authentication information back to the Report Server, which itself should use it to connect to my data source (SQL Server in this case) and query the DB as the report user. To configure this you have to follow a super boring procedure involving SPNs, but even after configuring it properly it worked only for IE, while for any other browser you would see this error:
Having verified that Kerberos authentication itself works, as it works with Internet Explorer, the culprit seems to be the browser itself.
IE works because in the “Internet Options” settings in windows you can specify to allow for automatic Auth delegation for intranet sites (where your on prem PowerBi should be), while this setting doesn’t apply for chromium-based browsers like Edge and Chrome which have a life and policies of their own.
While trying to figure out how to enable the same policy that allows IE to do this double-hop authorization in Edge too, i stumbled upon the about:policy page in Edge/chrome
By sliding through all the policies, by showing those without a value too, there’s just one interesting one: AuthNegotiateDelegateAllowlist
The above policy is exactly what we needed, a way to specify a list of servers that Microsoft Edge can delegate user credentials to, bingo; “If you don’t configure this policy Microsoft Edge won’t delegate user credentials even if a server is detected as Intranet.” , yep, I figured that out myself before reaching this, thanks doc.
In order to enable and test the policy right away on your, a registry key must be created:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge] "AuthNegotiateDelegateAllowlist"="servername"
In order to push this policy to all of your company clients a group policy can be created, send the to the document above to your beloved sysadmin