Can't get access to PBIRS API "powerbiserver/reports/api/v2.0/reports"

Summary

The issue manifests as a NullReferenceException in the authorization module when accessing the Power BI Report Server (PBIRS) API endpoint powerbiserver/reports/api/v2.0/reports (or specific CatalogItems) with a non-admin user. This results in an HTTP 500 Internal Server Error and an OData exception. The error disappears when the user is granted Full Admin rights to the server. This indicates a privilege escalation failure or missing permission mapping in the PBIRS security model for the specific API scope.

Root Cause

The root cause is a misconfiguration or bug in the authorization extension for the specific API route v2.0/CatalogItems, likely triggered by missing SharePoint Shared Services authentication context or incorrect Extended Protection settings.

Specific Exception: Microsoft.ReportingServices.Diagnostics.Utilities.AuthorizationExtensionException wrapping a System.NullReferenceException.
Trigger: The request is authenticated (Windows Identity is present) but fails authorization due to a missing or null object reference within the auth module logic when checking permissions for the specific user token.
Configuration Conflict: The RSWindowsExtendedProtectionLevel is set to Off, but the RSWindowsExtendedProtectionScenario is set to Proxy. This mismatch often confuses the underlying SSRS/IIS security layer regarding how to handle the Windows authentication token passed through the request pipeline.
Why Admin Works: The System Administrators role in PBIRS bypasses the granular permission check that is failing. The code path for administrators does not instantiate the object that is causing the NullReferenceException.

Why This Happens in Real Systems

In enterprise environments, Least Privilege Access is enforced. Users are typically assigned specific roles (e.g., Browser, Content Manager) rather than System Administrator. The PBIRS API (OData) relies heavily on the Windows Authentication provider to resolve user identities against the report server database and Active Directory.

Token Mapping: The API must map the incoming Windows identity to a record in the dbo.Users table. If the user is not a system admin, the engine attempts to validate granular permissions (item-level access).
Extended Protection: When ExtendedProtection is set to Proxy but the actual network path includes load balancers or proxies that strip or modify specific authentication headers (like Negotiate or NTLM), the server receives a token that it cannot validate correctly. The NullReferenceException occurs when the auth module tries to access properties of a failed token validation result object.
Framework Dependency: Windows Server 2012 relies on specific .NET Framework patches for System.Net and WCF (Windows Communication Foundation) services. A mismatch between the latest PBIRS build (09.2025) and the underlying OS/IIS configuration can expose these unhandled null checks in the authorization wrapper.

Real-World Impact

API Disruption: Third-party applications or custom scripts relying on the OData API for data extraction or management fail completely for service accounts.
Security Risk: The immediate workaround (giving Admin rights) violates the Principle of Least Privilege, potentially exposing sensitive reports and server settings to non-admin users.
Operational Latency: Automated workflows (e.g., nightly data refresh triggers via API) halt, causing downstream reporting delays.
Debugging Difficulty: The logs show an HTTP 500 error with a generic NullReferenceException, making it difficult to pinpoint whether it is a network issue, a permission issue, or a bug in the PBIRS build.

Example or Code

The relevant configuration section in rsreportserver.config causing the mismatch. Note the discrepancy between RSWindowsExtendedProtectionLevel and RSWindowsExtendedProtectionScenario.

How Senior Engineers Fix It

The fix involves aligning the authentication configuration with the actual network topology and ensuring the underlying OS security protocols are compatible with the PBIRS build.

Harmonize Extended Protection Settings:
- Change RSWindowsExtendedProtectionScenario to match RSWindowsExtendedProtectionLevel. If the level is Off, set the scenario to Proxy only if a proxy is actually present and configured to handle Extended Protection. If no proxy is used (direct access), set both to Off.
- Recommended: Set <RSWindowsExtendedProtectionLevel>Allow</RSWindowsExtendedProtectionLevel> and <RSWindowsExtendedProtectionScenario>Proxy</RSWindowsExtendedProtectionScenario> to allow negotiation without forcing strict enforcement that might fail due to null objects in the auth chain.
Update Authentication Providers:
- Ensure RSWindowsKerberos is enabled if the environment supports it, as NTLM is prone to token validation issues in newer PBIRS builds.
- Explicitly define the RSWindowsExtendedProtection settings in rsreportserver.config.
Database Permission Verification:
- Verify that the non-admin user is explicitly present in the dbo.Users table. Sometimes, API access requires an explicit entry even if the user is part of an AD group that has permissions.
- Run the GrantForNonAdmin.sql script (standard SSRS support script) to ensure the Content Manager role has the necessary catalog access rights for the API namespace.
Patch Management:
- Verify that Windows Server 2012 R2 has all KB updates related to .NET Framework 4.8 and WinHTTP installed. The NullReferenceException often stems from unpatched OS-level Windows Auth components.

Why Juniors Miss It

Over-reliance on Logs: Juniors see the System.NullReferenceException and immediately look for code bugs or database corruption, rather than analyzing the surrounding Authentication configuration tags.
“Admin Works” Trap: They assume that because granting Admin rights fixes it, the issue is simply “insufficient permissions.” They stop investigating at the role level and fail to realize the error is a crash in the authorization module rather than a standard permission denial.
Ignoring Network Context: They often overlook ExtendedProtection settings, viewing them as “advanced noise.” In reality, these settings dictate how Windows Authentication tokens are validated through proxies or load balancers.
Misunderstanding OData vs. UI: They assume if the Web Portal works, the API works. The API often uses different authorization pipelines (OData middleware) that are more sensitive to missing token contexts than the standard ASP.NET UI pages.