What causes FailedToImpersonateUserException?

The Service Principal Name (SPN) for the gateway service account is missing or incorrectly configured. Constrained delegation is not set up in Active Directory for the gateway machine. The gateway service account does not have 'Act as part of the operating system' or impersonation rights. The UPN of the Power BI user does not map to a valid Active Directory account. The target data source SPN is not included in the constrained delegation list

How do I fix FailedToImpersonateUserException?

Set up a Service Principal Name (SPN) for the on-premises gateway service account using setspn.. Configure constrained delegation in Active Directory: grant the gateway computer account delegation to the target SPN.. Map the Power BI user's UPN to an Active Directory account in the gateway data source settings if they differ.

High severitygateway

Power BI Refresh Error:
FailedToImpersonateUserException

What does this error mean?

The on-premises gateway failed to impersonate the user during Kerberos SSO. Fix requires an SPN and constrained delegation in Active Directory.

Common causes

1The Service Principal Name (SPN) for the gateway service account is missing or incorrectly configured
2Constrained delegation is not set up in Active Directory for the gateway machine
3The gateway service account does not have 'Act as part of the operating system' or impersonation rights
4The UPN of the Power BI user does not map to a valid Active Directory account
5The target data source SPN is not included in the constrained delegation list

How to fix it

1Set up a Service Principal Name (SPN) for the on-premises gateway service account using setspn.
2Configure constrained delegation in Active Directory: grant the gateway computer account delegation to the target SPN.
3Map the Power BI user's UPN to an Active Directory account in the gateway data source settings if they differ.

Beyond the docs

Common practitioner solutions not covered in the official documentation.

1Ensure the gateway service runs as a domain account (not Local System) with impersonation rights
2Review the gateway logs for the specific user ID and verify that account exists in AD
3Test SSO by refreshing a dataset and checking the gateway logs for the impersonation attempt

Frequently asked questions

Does this error affect all datasets using the same gateway?

Yes — all datasets routed through the affected gateway will fail simultaneously. Resolving the gateway configuration or credential issue restores all of them at once.

Does this error appear in Power BI Desktop?

No — Power BI Desktop connects directly to data sources. Gateway errors only occur when Power BI Service initiates a scheduled or manual refresh.

Can this error resolve itself without intervention?

No — gateway errors require manual action: re-entering credentials, restarting the gateway service, or correcting the network path between the gateway and the data source.

How long does it typically take to fix?

A simple credential refresh takes 5–10 minutes. Network or firewall issues can take 30–120 minutes depending on your infrastructure access.

Source · learn.microsoft.com/en-us/power-bi/connect-data/service-gateway-onprem-tshoot