Enable Kerberos Delegation

Kerberos delegation enables Tableau Server to use the Kerberos credentials of the viewer of a workbook or view to execute a query on behalf of the viewer. This is useful in the following situations:

  • You need to know who is accessing the data (the viewer's name will appear in the access logs for the data source).

  • Your data source has row-level security, where different users have access to different rows.

Supported data sources

Tableau supports Kerberos delegation with the following data sources:

  • Cloudera: Hive/Impala
  • Denodo
  • Hortonworks
  • PostgreSQL
  • Spark
  • SQL Server
  • Teradata

MSAS is not supported on Linux platforms. Oracle delegation is not supported with Tableau Server on Linux because of driver limitations.

Requirements

Kerberos delegation requires Active Directory.

  • The Tableau Server information store must be configured to use LDAP - Active Directory.
  • The computer where Tableau Server is installed must be joined to Active Directory domain.
  • MIT KDC is not supported.

Configuration process

This section provides an example of the process to enable Kerberos delegation. The scenario also includes example names to help describe the relationships between the configuration elements.

  1. Tableau Server will need a Kerberos service ticket to delegate on behalf of the user that is initiating the call to the database. You must create a domain account that will be used to delegate to the given database. This account is referred to as the Run As service account. In this topic, the example user configured as the delegation/Run As account is tabsrv@example.com.

    The account must be configured with Active Directory User and Computers on a Windows Server that is connected to the user domain:

    • Open the Properties page for the Run As service account, click the Delegation tab and select Trust this user for delegation to specified services only and Use any authentication protocol.
  2. Create a keytab file for the Run As service account.

    For example, the following commands create a keytab (tabsrv-runas.keytab) using the ktutil tool:

    sudo ktutil
    ktutil:  addent -password -p tabsrv@EXAMPLE.COM -k 2 -e <encryption scheme>

    Encryption schemes for this command include RC4-HMAC, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96. Consult your IT team for the correct encryption scheme for your environment and data source.

    ktutil:  wkt tabsrv-runas.keytab

    Tableau Server will use the Run As service account and the associated keytab to authenticate and make a direct connection to the database.

  3. Copy the keytab into the Tableau Server data directory and set proper ownership and permissions.

    mkdir /var/opt/keytab                
    sudo cp -p tabsrv-runas.keytab /var/opt/keytab                 
    sudo chown $USER /var/opt/keytab/tabsrv-runas.keytab                  
    chgrp tableau /var/opt/keytab/tabsrv-runas.keytab                  
    chmod g+r /var/opt/keytab/tabsrv-runas.keytab 
    					
  4. Run the following TSM commands to enable Kerberos delegation, set the delegation service account, and associate the keytab file with the service account:

    					
    tsm configuration set -k wgserver.delegation.enabled -v true
    tsm configuration set -k native_api.datasource_impersonation_runas_principal -v tabsrv@example.com
    tsm configuration set -k native_api.datasource_impersonation_runas_keytab_path -v <path-to-file>kerberos.keytab
    tsm configuration set -k native_api.protocol_transition_a_d_short_domain -v false
    tsm configuration set -k native_api.protocol_transition_uppercase_realm -v true

    In some cases, TSM may return an error mentioning --force-keys. If you get this error, run the command again with the --force-keys parameter appended to the argument.

  5. Run the following TSM command apply the changes to Tableau Server:

    tsm pending-changes apply

    The pending-changes apply command displays a prompt to let you know this will restart Tableau Server if the server is running. The prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. For more information, see tsm pending-changes apply.

  6. Enable delegation for data connections:

    See also

    Troubleshoot Kerberos

Thanks for your feedback! There was an error submitting your feedback. Try again or send us a message.