Local Authentication

If the server is configured to use local identity store, then Tableau Server authenticates users. When users sign-in and enter their credentials, either through Tableau Desktop, tabcmd, API or web client, Tableau Server verifies the credentials. Tableau user names stored in the identity store are associated with rights and permissions for Tableau Server. After authentication is verified, Tableau Server manages user access (authorisation) for Tableau resources.

To use local authentication, you must configure Tableau Server with a local identity store during Setup. You cannot use local authentication if your Tableau Server has been configured with an external identity store (LDAP, Active Directory, etc).

Note: Identity pools, which is a tool designed to complement and support additional user provisioning and authentication options you might need in your organisation, supports OpenID Connect (OIDC) authentication only. For more information, see Provision and Authenticate Users Using Identity Pools.

Password storage

When local authentication is used, the user’s salted and hashed password is stored in the repository. Passwords are never stored directly, rather, the result of salting and hashing the password is stored. Server uses the PBKDF2 derivation function with the HMAC SHA512 hashing function.

Configure password settings

After you install Tableau Server with local authentication, you can use Tableau Server Manager (TSM) to configure a number of password-related settings:

  • Password policies: these policies define the requirement for password structure, such as length, character types and other requirements.

  • Password expiration: enable and specify password expiry.

  • Login rate limit: Tableau Server throttles the time between sign-in attempts after users enter 5 incorrect passwords. Users will need to wait a few seconds before attempting another sign-in. If users continue to enter incorrect passwords, then they must wait for exponentially longer periods of time in between sign-in attempts. By default, the maximum time between sign-in attempts is 60 minutes.

    Lock out account access after too many failed attempts. You can specify how many failed attempts users are allowed to enter before they are locked out. For information on how to unlock access to a locked account, see View and manage users on a site.

  • User password reset: Enable users to reset passwords. Enabling password reset will configure Tableau Server to display a link on the sign-in page. Users who forget passwords or want to reset a password can click the link to initiate a reset-password workflow. Password reset must be configured using TSM CLI, as described below.

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click on User Identity & Access on the Configuration tab and then click Authentication Method.

  3. Select Local authentication from the drop-down menu to display the password settings.

  4. Configure the password settings and then click Save Pending Changes.

  5. Click Pending Changes at the top of the page:

  6. Click Apply Changes and Restart.

For the initial configuration of password policies, we recommend that you use the configuration file template below to create a json file. You can also set any single configuration key listed below with the syntax described in tsm configuration set.

  1. Copy the following json template to a file. Fill in the key values with your password policy configuration. See the reference section that follows for more information about key options.

    "configKeys": {
     "wgserver.localauth.policies.mustcontainletters.enabled": false,
      "wgserver.localauth.policies.mustcontainuppercase.enabled": false,
      "wgserver.localauth.policies.mustcontainnumbers.enabled": false,
      "wgserver.localauth.policies.mustcontainsymbols.enabled": false,
      "wgserver.localauth.policies.minimumpasswordlength.enabled": false,
      "wgserver.localauth.policies.minimumpasswordlength.value": 8,
      "wgserver.localauth.policies.maximumpasswordlength.enabled": false,
      "wgserver.localauth.policies.maximumpasswordlength.value": 255,
      "wgserver.localauth.passwordexpiration.enabled": false,
      "wgserver.localauth.passwordexpiration.days": 90,
      "wgserver.localauth.ratelimiting.maxbackoff.minutes": 60,
      "wgserver.localauth.ratelimiting.maxattempts.enabled": false,
      "wgserver.localauth.ratelimiting.maxattempts.value": 5,
      "features.PasswordReset": false
  2. Run the tsm settings import -f file.json to pass the json file with the appropriate values to Tableau Services Manager to configure Tableau Server.

  3. Run the tsm pending-changes apply command to apply the changes. See tsm pending-changes apply.

Configuration file reference

This section lists all of the options that can be used to configure password polices.


Default value: false

Require at least one letter in passwords.


Default value: false

Require at least one upper-case letter in passwords.


Default value: false

Require at least one number letter in passwords.


Default value: false

Require at least one special character in passwords.


Default value: false

Enforce minimum-length passwords.


Default value: 8

The minimum number of characters passwords must have. Enter a value between 4 and 255, inclusive. You must set wgserver.localauth.policies.minimumpasswordlength.enabled to true to enforce this value.


Default value: false

Enforce maximum-length passwords.


Default value: 255

The maximum number of characters passwords may have. Enter a value between 8 and 225, inclusive. You must set wgserver.localauth.policies.maximumpasswordlength.enabled to true to enforce this value.


Default value: false

Enforce password expiry.


Default value: 90

The number of days before a password expires. Enter a value between 1 and 365, inclusive. You must set wgserver.localauth.passwordexpiration.enabled to true to enforce this value.


Default value: 60

Maximum time between sign-in attempts after a user enters multiple incorrect passwords. Enter a value between 5 and 1440, inclusive.


Default value: false

Enforce account lock out after 5 incorrect passwords are entered. To change the number of incorrect passwords that will trigger account lock out, you set wgserver.localauth.ratelimiting.maxattempts.value.


Default value: 5

The number of incorrect passwords that a user may enter to trigger account lock out. Enter a value between 5 and 100, inclusive. You must set wgserver.localauth.ratelimiting.maxattempts.enabled to true to enforce this value.


Default value: false

Enable users to reset passwords. Tableau Server must be configured to send email for this feature to operate. See Configure SMTP Setup.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!