Configure Kerberos

You can configure Tableau Server to use Kerberos. This allows you to provide a single sign-on (SSO) experience across all the applications in your organization. Before you configure Tableau Server for Kerberos make sure your environment meets the Kerberos Requirements.

Note: Kerberos constrained delegation for SSO to Tableau Server is not supported. (Constrained delegation for data sources is supported.) For more information, see Single-Sign On (SSO) in Kerberos Requirements.

To configure Kerberos, you must first enable Kerberos, and then specify a keytab file for user authentication. The keytab file you specify must be configured with the service provider name for the Tableau Server for user authentication. If you are using Kerberos authentication for data sources, those credentials should be included in the single keytab file that you will specify during Kerberos configuration on Tableau Sever.

  1. Open TSM in a browser:

    https://<tsm-computer-name>:8850. For more information, see Sign in to Tableau Services Manager Web UI.

  2. Click User Identity & Access on the Configuration tab and then click Authentication Method.

  3. Under Authentication Method, select Kerberos in the drop-down menu.

  4. Under Kerberos, select Enable Kerberos for single sign-on (SSO).

  5. To copy the keytab file to the server, click Select File, and then browse to the file on your computer.

    Configure Kerberos screenshot

  6. Click Save Pending Changes after you've entered your configuration information.

  7. Click Pending Changes at the top of the page:

  8. Click Apply Changes and Restart.

  1. Copy the keytab file to the computer running Tableau Server and run the following command to set permissions on the file:

    chmod 644 "/path/keytab_file"

    If you are running Tableau Server on in a distributed cluster deployment, then you will need to manually distribute the keytab file to each node and then set the permissions. Copy the keytab file to the same directory on each node in the cluster. After you have copied the keytab file to each node and set permissions on the file, then run the following TSM commands on one node. The configuration will propagate to each node.

  2. Type the following command to specify the location and name of the keytab file:

    tsm authentication kerberos configure --keytab-file <path-to-keytab_file>

  3. Type the following command to enable Kerberos:

    tsm authentication kerberos enable

  4. Run tsm pending-changes apply to apply changes.

    The pending-changes apply command displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. For more information, see tsm pending-changes apply.

Confirm your SSO configuration

Once Tableau Server has restarted, test your Kerberos configuration from a web browser on a different computer by typing the Tableau Server name in the URL window:

You should be automatically authenticated to Tableau Server.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.