High severitygateway
Power BI Refresh Error:
FailedToImpersonateUserException
What does this error mean?
The on-premises gateway failed to impersonate the user during Kerberos SSO. Fix requires an SPN and constrained delegation in Active Directory.
Common causes
- 1The Service Principal Name (SPN) for the gateway service account is missing or incorrectly configured
- 2Constrained delegation is not set up in Active Directory for the gateway machine
- 3The gateway service account does not have 'Act as part of the operating system' or impersonation rights
- 4The UPN of the Power BI user does not map to a valid Active Directory account
- 5The target data source SPN is not included in the constrained delegation list
How to fix it
- 1Set up a Service Principal Name (SPN) for the on-premises gateway service account using setspn
- 2Configure constrained delegation in Active Directory: grant the gateway computer account delegation to the target SPN
- 3Ensure the gateway service runs as a domain account (not Local System) with impersonation rights
- 4Map the Power BI user's UPN to an Active Directory account in the gateway data source settings if they differ
- 5Review the gateway logs for the specific user ID and verify that account exists in AD
- 6Test SSO by refreshing a dataset and checking the gateway logs for the impersonation attempt