Enable Kerberos Delegation

Kerberos delegation enables Tableau Server to use the Kerberos credentials of the viewer of a workbook or view to execute a query on behalf of the viewer. This is useful in the following situations:

  • You need to know who is accessing the data (the viewer's name will appear in the access logs for the data source).

  • Your data source has row-level security, where different users have access to different rows.

Supported data sources

Tableau supports Kerberos delegation with the following data sources:

  • Cloudera: Hive/Impala
  • Denodo
  • Hortonworks
  • Oracle
  • PostgreSQL
  • Spark
  • SQL Server
  • Teradata
  • Vertica

MSAS is not supported on Linux platforms.

Requirements

Kerberos delegation requires Active Directory.

  • The Tableau Server identity store must be configured to use Active Directory.
  • The computer where Tableau Server is installed must be joined to the Active Directory domain.
  • MIT Kerberos KDC is not supported.

Web authoring and user Kerberos authentication

When configuring Connect to Data for a given target, you may select Integrated or Windows authentication as the preferred authentication method. However, for web authoring scenarios, the default behavior will be to use the Kerberos service account (“Run As” account) instead.

To enable user credentials in web authoring scenarios with Kerberos delegation, you must make an additional configuration using TSM. Run the following commands:

tsm configuration set -k native_api.WebAuthoringAuthModeKerberosDelegation -v true
tsm pending-changes apply

After making this configuration, Kerberos Delegation becomes the default operation when selecting integrated authentication with web authoring. However, this setting will not prevent content creators from accessing the service account. Creators can still publish content that connects with the Run As service account, using Tableau Desktop or other methods.

For more information on Run As service account, see Enable Kerberos Service Account Access.

Configuration process

This section provides an example of the process to enable Kerberos delegation. The scenario also includes example names to help describe the relationships between the configuration elements.

  1. Tableau Server will need a Kerberos service ticket to delegate on behalf of the user that is initiating the call to the database. You must create a domain account that will be used to delegate to the given database. This account is referred to as the Run As service account. In this topic, the example user configured as the delegation/Run As account is tabsrv@example.com.

    The account must be configured with Active Directory User and Computers on a Windows Server that is connected to the user domain:

    • Open the Properties page for the Run As service account, click the Delegation tab and select Trust this user for delegation to specified services only and Use any authentication protocol.
  2. Create a keytab file for the Run As service account.

    For example, the following commands create a keytab (tabsrv-runas.keytab) using the ktutil tool:

    sudo ktutil
    ktutil:  addent -password -p tabsrv@EXAMPLE.COM -k 2 -e <encryption scheme>

    Encryption schemes for this command include RC4-HMAC, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96. Consult your IT team for the correct encryption scheme for your environment and data source.

    ktutil:  wkt tabsrv-runas.keytab

    Tableau Server will use the Run As service account and the associated keytab to authenticate and make a direct connection to the database.

  3. Copy the keytab into the Tableau Server data directory and set proper ownership and permissions. If you are running a multi-node deployment, then you must run the following commands on each node in the cluster.

    mkdir /var/opt/keytab                
    sudo cp -p tabsrv-runas.keytab /var/opt/keytab                 
    sudo chown $USER /var/opt/keytab/tabsrv-runas.keytab                  
    chgrp tableau /var/opt/keytab/tabsrv-runas.keytab                  
    chmod g+r /var/opt/keytab/tabsrv-runas.keytab 
    					
  4. Run the following TSM commands to enable Kerberos delegation, set the delegation service account, and associate the keytab file with the service account:

    					
    tsm configuration set -k wgserver.delegation.enabled -v true
    tsm configuration set -k native_api.datasource_impersonation_runas_principal -v tabsrv@EXAMPLE.COM
    tsm configuration set -k native_api.datasource_impersonation_runas_keytab_path -v /var/opt/keytab/tabsrv-runas.keytab
    tsm configuration set -k native_api.protocol_transition_a_d_short_domain -v false
    tsm configuration set -k native_api.protocol_transition_uppercase_realm -v true

    In some cases, TSM may return an error mentioning --force-keys. If you get this error, run the command again with the --force-keys parameter appended to the argument.

  5. Run the following TSM command apply the changes to Tableau Server:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

  6. Enable delegation for data connections:

    See also

    Troubleshoot Kerberos

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!