Tableau Client Support for Kerberos SSO
This article describes some requirements for and nuances with using Kerberos single sign-on (SSO) with Tableau Server, depending on the particular Tableau client and operating system. Tableau clients covered in this article include common web browsers, Tableau Desktop, and the Tableau Mobile app.
General browser client support
To use browser-based Kerberos Single Sign-on (SSO), the following must be true:
Kerberos must be enabled on Tableau Server.
The user must have a user name and password to sign in to Tableau Server.
Note: If Kerberos SSO fails, users can fall back on their user name and passwords credentials.
The user must be authenticated to Active Directory through Kerberos on the client computer or mobile device. Specifically, this means that they have a Kerberos Ticket Granting Ticket (TGT).
Tableau Desktop and browser clients
On Windows or the Mac, you can use Kerberos SSO to sign in to Tableau Server from the following versions of Tableau Desktop or browser. Where noted, additional configuration is required.
Tableau Desktop 8.3 or later supported.
Internet Explorer - supported, may require configuration - see Note 1.
Chrome - supported, may require configuration -see Note 1.
Firefox - requires configuration - see Note 2.
Safari - not supported.
Mac OS X
- Tableau Desktop 8.3 or newer
- Safari - supported
- Chrome - see Note 3
- Firefox - see Note 2
- Internet Explorer - not supported
Tableau Mobile app clients
On a Mac iOS or Andoid device, you can use the following Tableau Mobile or mobile browser versions to use Kerberos authentication to Tableau Server:
Android - see Note 5
- Tableau App 8.3 or newer
- Android Browser
OS- and browser-specific notes
The following notes describe configuration requirements or issues with specific operating system and client combinations.
Kerberos SSO is supported in both Internet Explorer and Chrome, but it requires configuration in Windows Internet Options:
Enable Integrated Windows Authentication.
Verify that Tableau Server URL is in the local intranet zone.
Internet Explorer can sometimes detect intranet zones and configure this setting. If it has not detected and configured the Tableau Server URL, you must manually add the URL to the local intranet zone.
To enable Integrated Windows Authentication:
In Windows Control Panel, open Internet Options.
On the Advanced tab scroll down to the Security section.
Select Enable Integrated Windows Authentication.
To verify or add the Tableau Server URL to the local intranet zone:
In Windows Control Panel, open Internet Options.
On the Security tab, select Local intranet, and then click Sites.
On the Local intranet dialog box, click Advanced.
In the Websites field, look for the internal Tableau Server URL.
In some organizations, IT administrators will use a wildcard (*) to specify internal URLs. For example, the following URL includes all servers in the internal
example.lannamespace in the local intranet zone:
The following image shows a specific URL of
If the Tableau Server URL or a wildcard URL is not specified in the Websites field, enter the Tableau Server URL in the Add the website to the zone field, click Add, and then click OK.
If the Tableau Server URL is already listed in Websites, you can simply close the dialog.
You can use Firefox with Kerberos SSO on either Windows or Mac to sign in to Tableau Server. To do this, you must complete the following steps to configure Firefox to support Kerberos:
In Firefox, enter
about:configin the address bar.
Click I'll be careful, I promise when warned about changing advanced settings.
negotiatein the Search box.
Double-click network.negotiate-auth.allow-non-fqdn, and then set the value to true.
- Double-click network.negotiate-auth.trusted-uris and enter the Tableau Server fully qualified domain name (FQDN). For example,
According to Chrome documentation, Kerberos SSO works on a Mac when you launch Chrome from a terminal window with the following command:
open -a "Google Chrome.app" --args --auth-server-whitelist="tableauserver.example.com"
tableauserver.example.com is the URL for Tableau Server in your environment.
However, we have found inconsistent results in our testing. Therefore, if you want to use Kerberos SSO on a Mac, we recommend that you use Safari or Firefox. For more information, see the Integrated Authentication section at HTTP authentication on The Chromium Projects site.
Note: Users can still use Chrome on Mac OS X to sign in to Tableau Server, but they might be prompted to enter their user name and password (single sign-on may not work).
Kerberos SSO is supported if iOS is configured for Kerberos. The iOS device must have a Kerberos authentication configuration profile installed. This is usually done by an enterprise IT group. Tableau Support cannot assist with configuring iOS devices for Kerberos.
Kerberos SSO is not supported on the Android operating system because there is no platform-level support for Kerberos. You can still use your Android device and the Tableau Mobile app or a supported mobile browser to connect to and sign in to Tableau Server.