Configure Kerberos
You can configure Tableau Server to use Kerberos. This allows you to provide a single sign-on (SSO) experience across all the applications in your organization. Before you configure Tableau Server for Kerberos make sure your environment meets the Kerberos Requirements.
Note: Kerberos constrained delegation for SSO to Tableau Server is not supported. (Constrained delegation for data sources is supported.) For more information, see Single-Sign On (SSO) in Kerberos Requirements.
To configure Kerberos, you must first enable Kerberos, and then specify a keytab file for user authentication. The keytab file you specify must be configured with the service provider name for the Tableau Server for user authentication. If you are using Kerberos authentication for data sources, those credentials should be included in the single keytab file that you will specify during Kerberos configuration on Tableau Server.
As part of your disaster recovery plan, we recommend keeping a backup of the keytab file in a safe location off of the Tableau Server. The keytab file that you add to Tableau Server will be stored and distributed to other nodes by the Client File Service. However, the file is not stored in a recoverable format. See Tableau Server Client File Service.
-
Open TSM in a browser:
https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.
-
Click User Identity & Access on the Configuration tab and then click Authentication Method.
-
Under Authentication Method, select Kerberos in the drop-down menu.
-
Under Kerberos, select Enable Kerberos for single sign-on (SSO).
-
To copy the keytab file to the server, click Select File, and then browse to the file on your computer.
-
Click Save Pending Changes after you've entered your configuration information.
-
Click Pending Changes at the top of the page:
-
Click Apply Changes and Restart.
-
Copy the keytab file to the computer running Tableau Server and run the following command to set permissions on the file:
chmod 644 "/path/keytab_file"
If you are running Tableau Server on in a distributed cluster deployment, then you will need to manually distribute the keytab file to each node and then set the permissions. Copy the keytab file to the same directory on each node in the cluster. After you have copied the keytab file to each node and set permissions on the file, then run the following TSM commands on one node. The configuration will propagate to each node.
-
Type the following command to specify the location and name of the keytab file:
tsm authentication kerberos configure --keytab-file <path-to-keytab_file>
-
Type the following command to enable Kerberos:
tsm authentication kerberos enable
-
Run
tsm pending-changes apply
to apply changes.If the pending changes require a server restart, the
pending-changes apply
command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the--ignore-prompt
option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
Confirm your SSO configuration
Once Tableau Server has restarted, test your Kerberos configuration from a web browser on a different computer by typing the Tableau Server name in the URL window:
You should be automatically authenticated to Tableau Server.