Tableau Client Support for Kerberos SSO

This article describes some requirements for and nuances with using Kerberos single sign-on (SSO) with Tableau Server, depending on the particular Tableau client and operating system. Tableau clients covered in this article include common web browsers, Tableau Desktop, and the Tableau Mobile app.

General browser client support

To use browser-based Kerberos Single Sign-on (SSO), the following must be true:

  • Kerberos must be enabled on Tableau Server.

  • The user must have a user name and password to sign in to Tableau Server.

    Note: If Kerberos SSO fails, users can fall back on their user name and passwords credentials.

  • The user must be authenticated to Active Directory through Kerberos on the client computer or mobile device. Specifically, this means that they have a Kerberos Ticket Granting Ticket (TGT).

Tableau Desktop and browser clients

On Windows or the Mac, you can use Kerberos SSO to sign in to Tableau Server from the following versions of Tableau Desktop or browser. Where noted, additional configuration is required.

Windows

  • Tableau Desktop 8.3 or later supported.

  • Internet Explorer - supported, may require configuration - see Note 1.

  • Chrome - supported, may require configuration -see Note 1.

  • Firefox - requires configuration - see Note 2.

  • Safari - not supported.

Mac OS X

  • Tableau Desktop 8.3 or newer
  • Safari - supported
  • Chrome - see Note 3
  • Firefox - see Note 2
  • Internet Explorer - not supported

Tableau Mobile app clients

On a Mac iOS or Andoid device, you can use the following Tableau Mobile or mobile browser versions to use Kerberos authentication to Tableau Server:

Mac iOS

  • Tableau App 8.3 or newer- see Note 4
  • Safari - see Note 4
  • Chrome - not supported

Android - see Note 5

  • Tableau App 8.3 or newer
  • Android Browser
  • Chrome

OS- and browser-specific notes

The following notes describe configuration requirements or issues with specific operating system and client combinations.

Note 1: Internet Explorer or Chrome on Windows desktop

Kerberos SSO is supported in both Internet Explorer and Chrome, but it requires configuration in Windows Internet Options:

  1. Enable Integrated Windows Authentication.

  2. Verify that Tableau Server URL is in the local intranet zone.

    Internet Explorer can sometimes detect intranet zones and configure this setting. If it has not detected and configured the Tableau Server URL, you must manually add the URL to the local intranet zone.

To enable Integrated Windows Authentication:

  1. In Windows Control Panel, open Internet Options.

  2. On the Advanced tab scroll down to the Security section.

  3. Select Enable Integrated Windows Authentication.

  4. Click Apply.

To verify or add the Tableau Server URL to the local intranet zone:

  1. In Windows Control Panel, open Internet Options.

  2. On the Security tab, select Local intranet, and then click Sites.

  3. On the Local intranet dialog box, click Advanced.

    In the Websites field, look for the internal Tableau Server URL.

    In some organizations, IT administrators will use a wildcard (*) to specify internal URLs. For example, the following URL includes all servers in the internal example.lan namespace in the local intranet zone:

    https://*.example.lan

    The following image shows a specific URL of https://tableau.example.lan.

  4. If the Tableau Server URL or a wildcard URL is not specified in the Websites field, enter the Tableau Server URL in the Add the website to the zone field, click Add, and then click OK.

    If the Tableau Server URL is already listed in Websites, you can simply close the dialog.

Note 2: Firefox on Windows or Mac OS X desktop

You can use Firefox with Kerberos SSO on either Windows or Mac to sign in to Tableau Server. To do this, you must complete the following steps to configure Firefox to support Kerberos:

  1. In Firefox, enter about:config in the address bar.

  2. Click I'll be careful, I promise when warned about changing advanced settings.

  3. Enter negotiate in the Search box.

  4. Double-click network.negotiate-auth.allow-non-fqdn, and then set the value to true.

  5. Double-click network.negotiate-auth.trusted-uris and enter the Tableau Server fully qualified domain name (FQDN). For example, tableau.example.com.

Note 3: Chrome on Mac OS X desktop

According to Chrome documentation, Kerberos SSO works on a Mac when you launch Chrome from a terminal window with the following command:

open -a "Google Chrome.app" --args --auth-server-whitelist="tableauserver.example.com"

where tableauserver.example.com is the URL for Tableau Server in your environment.

However, we have found inconsistent results in our testing. Therefore, if you want to use Kerberos SSO on a Mac, we recommend that you use Safari or Firefox. For more information, see the Integrated Authentication section at HTTP authentication on The Chromium Projects site.

Note: Users can still use Chrome on Mac OS X to sign in to Tableau Server, but they might be prompted to enter their user name and password (single sign-on may not work).

Note 4: Mobile Safari or Tableau Mobile on Mac iOS

Kerberos SSO is supported if iOS is configured for Kerberos. The iOS device must have a Kerberos authentication configuration profile installed. This is usually done by an enterprise IT group. Tableau Support cannot assist with configuring iOS devices for Kerberos.

Note 5: Android platform

Kerberos SSO is not supported on the Android operating system because there is no platform-level support for Kerberos. You can still use your Android device and the Tableau Mobile app or a supported mobile browser to connect to and sign in to Tableau Server.

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.