ContextQMD
Back to Cube

NTLM authentication

docs/content/product/auth/methods/ntlm.mdx

1.6.434.4 KB
Original Source

NTLM authentication

NTLM is an authentication method developed by Microsoft that can be used to authenticate requests to DAX API.

<InfoBox>

Available on Enterprise and above plans. Also requires the M deployment tier.

</InfoBox>

On the diagram below, NTLM is used to authenticate requests from Power BI Service that come through the on-premises data gateway (step 6):

Authentication flow

The NTLM authentication can be used with Power BI Desktop or with Power BI Service and the on-premises data gateway.

Power BI Desktop

Initiated by Power BI Desktop, NTLM authentication works as follows:

  • Power BI Desktop is launched under a specific user account via the runas command.
  • Power BI Desktop performs an NTLM challenge-response authentication and passes the credentials of that account to the Cube Cloud deployment.
  • The Cube Cloud deployment verifies the credentials.

In the following example, Power BI Desktop is launched under the cube user:

bash
# Run Power BI Desktop as the `cube` user
runas /netonly /user:cube "C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe"

# Run a specific report in Power BI Desktop as the `cube` user 
runas /netonly /user:cube "C:\Program Files\Microsoft Power BI Desktop\bin\PBIDesktop.exe \"C:\Users\Administrator\Desktop\Dashboard.pbix\""

This flow should only be used for testing purposes. Note that, when Power BI Desktop is started as a user different from the currently logged-in Windows account, it may encounter permission issues, e.g., when saving files on network drives.

In a production environment, Power BI Desktop should be used with Kerberos authentication.

Power BI Service

Initiated by Power BI Service, NTLM authentication works as follows:

  • The gateway is configured with a master user account.
  • When users interact with a Power BI report in Power BI Service, their user principal name (UPN) is passed to the gateway.
  • The gateway performs an NTLM challenge-response authentication and passes the the credentials of the master user account to the Cube Cloud deployment. It also passes the UPN of the interacting user.
  • The Cube Cloud deployment verifies the credentials and changes the user name to the UPN of the interacting user.

This is the recommended way to authenticate Power BI Service requests.

Configuration

Using NTLM authentication requires configuring the deployment to verify the credentials.

To use NTLM authentication with Power BI Service, you also need to install the on-premises data gateway first.

Installing the gateway

You need to have the on-premises data gateway installed on a Windows Server machine.

It should be configured to authenticate with a master user account. It can be a local user on the machine or a domain user.

The Windows machine running the gateway should be joined to the corporate Active Directory or Entra ID where your business users have their accounts. The service account running the gateway needs minimal permissions but must exist in that same directory.

Verifying the credentials

By default, <EnvVar>CUBEJS_SQL_USER</EnvVar> and <EnvVar>CUBEJS_SQL_PASSWORD</EnvVar> environment variables are used to verify the passed credentials. You can also customize the authentication by using the check_sql_auth configuration option.

Also, the <EnvVar>CUBEJS_SQL_SUPER_USER</EnvVar> environment variable or the can_switch_sql_user configuration option can be used to ensure that the user name can be changed to the UPN of the interacting user only if proper credentials of the master user account were passed.