Enable Kerberos Delegation
Kerberos delegation enables Tableau Server to use the Kerberos credentials of the viewer of a workbook or view to execute a query on behalf of the viewer. This is useful in the following situations:
You need to know who is accessing the data (the viewer's name will appear in the access logs for the data source).
Your data source has row-level security, where different users have access to different rows.
Supported data sources
Tableau supports Kerberos delegation with the following data sources:
- Cloudera: Hive/Impala
- SQL Server
Kerberos delegation requires Active Directory.
- The Tableau Server identity store must be configured to use Active Directory.
- The computer where Tableau Server is installed must be joined to the Active Directory domain.
- MIT Kerberos KDC is not supported.
- A domain account must be configured as the Run As service account on Tableau Server. See Change the Run As Service Account. If your users are in a different Active Directory domain than Tableau Server and the data source, then domain trust must be configured. See Domain Trust Requirements for Active Directory Deployments.
- Delegation configured. Grant delegation rights for the Run As service account to the target database Service Principal Names (SPNs). The Run As service account is delegated authority to access resources on behalf of the initiating source user.
- If you are configuring delegation on Tableau Server 2020.2 or later with an Oracle data source using a JDBC-based connector, see Enable Kerberos Delegation for JDBC Connectors. Starting in Tableau 2020.2, the Oracle connector uses JDBC.
Web authoring and user Kerberos authentication
When configuring Connect to Data for a given target, you may select Integrated or Windows authentication as the preferred authentication method. However, for web authoring scenarios, the default behaviour will be to use the Kerberos service account (“Run As” account) instead.
To enable user credentials in web authoring scenarios with Kerberos delegation, you must make an additional configuration using TSM. Run the following commands:
tsm configuration set -k native_api.WebAuthoringAuthModeKerberosDelegation -v true
tsm pending-changes apply
After making this configuration, Kerberos Delegation becomes the default operation when selecting integrated authentication with web authoring. However, this setting will not prevent content creators from accessing the service account. Creators can still publish content that connects with the Run As service account, using Tableau Desktop or other methods.
This section provides an example of the process to enable Kerberos delegation. The scenario also includes example names to help describe the relationships between the configuration elements.
On all nodes in Tableau Server, configure the Run As User to act as part of the operating system. For more information, see Enable Run As Service Account to Act as the Operating System.
Tableau Server will need a Kerberos service ticket to delegate on behalf of the user that is initiating the call to the database. You must create a domain account that will be used to delegate to the given database. This account is referred to as the Run As service account. In this topic, the example user configured as the delegation/Run As account is
The account must be configured with Active Directory User and Computers on a Windows Server that is connected to the user domain:
- Open the Properties page for the Run As service account, click the Delegation tab and select Trust this user for delegation to specified services only and Use any authentication protocol.
Run the following TSM command to enable Kerberos delegation:
tsm configuration set -k wgserver.delegation.enabled -v true
Run the following TSM command apply the changes to Tableau Server:
tsm pending-changes apply
If the pending changes require a server restart, the
pending-changes applycommand will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the
--ignore-promptoption, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.
(Optional) Configure Tableau Server to use MIT Kerberos principal format.
By default, Tableau Server generates Kerberos principals using the Active Directory short name. For example, if Tableau Server performs Kerberos delegation for a user in
EXAMPLE.COM, with a short name
EXAMPLE, then the principal name will be:
If your database is running on Linux, you may need to adjust the
auth_to_localmapping in krb5.conf. For information about editing the krb5.conf file, see Kerberos delegation multi-domain configuration. Alternatively, you can configure Tableau Server to use the full domain name for Kerberos principals by running the following commands:
tsm configuration set -k native_api.protocol_transition_a_d_short_domain -v false --force-keys tsm configuration set -k native_api.protocol_transition_uppercase_realm -v true --force-keys tsm pending-changes apply
Enable delegation for data connections:
SQL Server – See Enabling Kerberos Delegation for SQL Server(Link opens in a new window) in the Tableau Community.
MSAS – See Enabling Kerberos Delegation for MSAS(Link opens in a new window) in the Tableau Community.
PostgreSQL – See Enabling Kerberos Delegation for PostgreSQL(Link opens in a new window) in the Tableau Community.
Teradata – See Enabling Kerberos Delegation for Teradata(Link opens in a new window) in the Tableau Community.
Oracle – See Enable Kerberos Delegation for Oracle(Link opens in a new window) in the Tableau Community.
Cloudera – See Enable Kerberos Delegation for Hive/Impala(Link opens in a new window) in the Tableau Community.
Vertica – See Enabling Kerberos Delegation for Vertica(Link opens in a new window) in the Tableau Community.
TIBCO – See Section 4, Kerberos SSO Configuration for TDV on Windows(Link opens in a new window) in the TIBCO Professional Services guide, TDV Integration with Kerberos.