docs-mintlify/docs/integrations/power-bi/kerberos.mdx
Kerberos is the most common authentication method for Windows environments. It can be used to authenticate requests to DAX API.
<Note>Available on Enterprise plan.
</Note>On the diagram below, Kerberos is used to authenticate requests from Power BI Desktop (step 2):
Kerberos is the recommended method to authenticate Power BI Desktop requests.
It works as follows:
Configuring Kerberos authentication includes the following steps:
To perform the next steps, you need a Windows Server virtual machine:
aadds-vnet subnet.You should log in to this Windows Server machine using the account that has AAD DC Administrators group membership.
It is also recommended to create a custom organizational unit (OU) and a new user in this OU that will act as the service account.
On the screenshot below, the mdax-api-svc-account user is created in the
MyCustomOU OU in the CUBE domain:
A service principal name (SPN) is a unique identifier of a service instance. Kerberos authentication uses SPNs to associate a service instance with a service sign-in account.
First, obtain your Cube Cloud deployment’s domain by going to Settings → General and copying the value in the Custom domain section.
Then, use the setspn command to register the Service Principal Name
for the DAX API.
In the following example, the web service (HTTP) SPN on the
redundant-brohman.gcp-us-central1.cubecloudapp.dev domain is registered for the
mdax-api-svc-account user in the CUBE domain:
setspn -S HTTP/redundant-brohman.gcp-us-central1.cubecloudapp.dev CUBE\mdax-api-svc-account
The keytab file contains information needed to decrypt the Kerberos token.
First, use the ktpass command to generate the keytab file. You will be
prompted to enter the password for the specified user:
ktpass /out kerberos.keytab /princ HTTP/[email protected] /mapuser mdax-api-svc-account /crypto All /ptype KRB5_NT_PRINCIPAL /pass *
Then, convert the keytab to a Base64-encoded string. For example, the following PowerShell script will do the conversion and put the result in the clipboard:
$Path = "C:\kerberos.keytab"
[Convert]::ToBase64String([System.IO.File]::ReadAllBytes($Path)) | Set-Clipboard
Go to Settings → Environment Variables of your Cube Cloud deployment and set the following environment variables to facilitate the verification of Kerberos tickets:
| Environment variable | Value |
|---|---|
CUBE_XMLA_KRB5_KEYTAB_B64 | Base64-encoded keytab |
CUBE_XMLA_SPN | HTTP |
KRB5_KTNAME | /cube/conf/kerberos.keytab |
By default, CUBEJS_SQL_USER and CUBEJS_SQL_PASSWORD environment variables are used
to verify the passed credentials. You can also customize the authentication by using the
check_sql_auth configuration option.
Once the deployment is ready, you can test the Kerberos authentication by connecting from Power BI to the DAX API.
The user principal name passed by Kerberos is often not the email a user is provisioned
into Cube Cloud with. For example, Power BI sends a UPN like [email protected], while
the user exists in Cube as [email protected]. For authentication to succeed, the principal
name must resolve to a Cube user.
To bridge this, Cube Cloud's SCIM API exposes an extension that lets your identity provider sync an alternate username alongside each user. During username-based authentication Cube checks the user's email, username, and any aliases — so the Kerberos UPN resolves to the same user.
Map an IdP attribute to the following single-valued, string target attribute:
urn:cube:params:1.0:UserAliases:alternateUserName
The value is lowercased and trimmed on write, and lookups are lowercased too, so matching is
fully case-insensitive — the value just needs to be the same principal string Kerberos sends
(same realm and separator). It must be unique across the tenant: if it collides with another
user's email, username, or an existing alias, the sync is rejected with 409 Conflict.
These steps assume you already have a SCIM provisioning app connected to Cube Cloud. If not, enable SCIM first under Cube → Settings → Authentication & SSO.
urn:cube:params:1.0:UserAliases:alternateUserName, type String, not
multi-valued, not required. Save.onPremisesUserPrincipalName. To build the principal from
parts, use an Expression mapping, e.g. Join("@", [samAccountName], "INTERNAL.REALM").urn:cube:params:1.0:UserAliases:alternateUserNameGET /api/scim/v2/Users/:id to confirm the alias appears under the extension.Entra only syncs a user when their source data changes, so existing users won't receive the
alias until their next change — use Restart provisioning to force a full re-sync.
onPremisesUserPrincipalName is only populated for users synced from on-prem AD; cloud-only
users need a different source attribute or an expression with a fallback.
The Cube-side target attribute is always urn:cube:params:1.0:UserAliases:alternateUserName;
only the IdP-side mapping UI differs. In Okta, add a custom attribute on the SCIM app via the
Profile Editor, then bind your source attribute to it on the Mappings tab. The value Cube
receives is just a string — what you map to it is your decision.