Enable Kerberos Service Account Access

You can configure Tableau Server to use a Kerberos service account to access a database. In this scenario, Tableau Server connects to databases with a service account, also referred to as a "RunAs account".

To use RunAs authentication on Tableau Server you must first create a workbook or datasource that uses integrated authentication. When users publish to Tableau Server they will get the option for RunAs authentication. If you create a datasource with Tableau Server web authoring that uses integrated authentication, the datasource will use RunAs authentication by default.

NoteIntegrated authentication is also referred to as Windows Authentication on some connectors. In both cases, Tableau Server uses Kerberos authentication.

Data Access with the RunAs Service Account

To use RunAs authentication, the RunAs account requires read and query permissions to external databases. As designed, Tableau Server users with the Creator role or the Explorer (Can Publish) role have full access to the RunAs account for queries to external databases.

For example, a user with the Creator role can view all databases that have been granted access to the RunAs service account. They can also list tables and run Custom SQL.

If the Creator-user specifies the database host name and selects Integrated Authentication when creating a new data source with web authoring, then databases that have been granted RunAs access will be displayed to the user.

View access to database assets are not restricted to users who connect to Tableau Server with web authoring. Sophisticated users, who have the same roles noted above and who have knowledge of database server names, could create workbooks with Tableau Desktop that display databases that have been granted RunAs access.

Recommendations

Whether user access to databases in these scenarios is acceptable must be assessed by your organization. Generally, reducing the usage and scope of the RunAs service account will reduce the likelihood of inadvertent user access to database content. However, reducing the usage and scope of the RunAs service account may also impose more credential management to you and your users.

Evaluate the following recommendations in context of your business needs and data access policies.

  • Firstly, be sure that you trust all users who have Creator roles or Explorer (Can Publish) roles. You will rely on these users to perform actions in Tableau with integrity.
  • If you cannot trust all of your users who have publishing rights on data sources that are accessed by the RunAs service account, then you should consider embedding credentials for those data sources.
  • If a data source is not set up for automated extract refreshes, that is, the data source is primarily accessed as a live connection, then you may be able to use Kerberos Delegation.  For requirements, see Enable Kerberos Delegation.

Requirements

  • MIT Kerberos is not supported.
  • The RunAs service account must have read access to the target database.

Configuration process

This section provides an example of the process to enable Kerberos service account access.

  1. Create a domain user account to act as the RunAs service account. This account must have read access to the target database.

    In the example here, the RunAs service account is User principal named tabsrv@example.com.

  2. Create a keytab file for the RunAs service account.

    For example, the following commands create a keytab (tabsrv-runas.keytab) using the ktutil tool:

    ktutil
    ktutil:  addent -password -p tabsrv@EXAMPLE.COM -k 2 -e <encryption scheme>

    Encryption schemes for this command include RC4-HMAC, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96. Consult your IT team for the correct encryption scheme for your environment and data source.

    ktutil:  wkt tabsrv-runas.keytab

    Tableau Server will use the RunAs service account and the associated keytab to authenticate and make a direct connection to the database.

  3. Copy the keytab into the Tableau Server data directory and set proper ownership and permissions. The keytab should be readable by the unprivileged user. The default unprivileged user created by Tableau Setup is tableau.

    If you are running a multi-node deployment, then you must run the following commands on each node in the cluster:

    mkdir /var/opt/tableau/tableau_server/keytab                
    sudo cp -p tabsrv-runas.keytab /var/opt/tableau/tableau_server/keytab                 
    sudo chown $USER /var/opt/tableau/tableau_server/keytab/tabsrv-runas.keytab                  
    chgrp tableau /var/opt/tableau/tableau_server/keytab/tabsrv-runas.keytab                  
    chmod g+r /var/opt/tableau/tableau_server/keytab/tabsrv-runas.keytab 
    
  4. Run the following TSM commands to enable RunAs access, set the RunAs service account, and associate the keytab file with the service account.

    tsm configuration set -k features.RunAsAuthLinux -v true --force-keys
    tsm configuration set -k native_api.datasource_runas_principal -v tabsrv@EXAMPLE.COM --force-keys
    tsm configuration set -k native_api.datasource_runas_keytab_path -v /var/opt/tableau/tableau_server/keytab/tabsrv-runas.keytab --force-keys			
  5. Run the following TSM command apply the changes to Tableau Server deployment:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!