Enable Kerberos Delegation

Kerberos delegation enables Tableau Server to use the Kerberos credentials of the viewer of a workbook or view to execute a query on behalf of the viewer. This is useful in the following situations:

  • You need to know who is accessing the data (the viewer's name will appear in the access logs for the data source).

  • Your data source has row-level security, where different users have access to different rows.

Supported data sources

Tableau supports Kerberos delegation with the following data sources:

  • Cloudera: Hive/Impala
  • Denodo
  • Hortonworks
  • MSAS
  • Oracle
  • PostgreSQL
  • Spark
  • SQL Server
  • Teradata
  • Vertica
  • TIBCO

Requirements

Kerberos delegation requires Active Directory.

  • The Tableau Server identity store must be configured to use Active Directory.
  • The computer where Tableau Server is installed must be joined to the Active Directory domain.
  • MIT Kerberos KDC is not supported.
  • A domain account must be configured as the Run As service account on Tableau Server. See Change the Run As Service Account. If your users are in a different Active Directory domain than Tableau Server and the data source, then domain trust must be configured. See Domain Trust Requirements for Active Directory Deployments.
  • Delegation configured. Grant delegation rights for the Run As service account to the target database Service Principal Names (SPNs). The Run As service account is delegated authority to access resources on behalf of the initiating source user.
  • If you are configuring delegation on Tableau Server 2020.2 or later with an Oracle data source using a JDBC-based connector, see Enable Kerberos Delegation for JDBC Connectors. Starting in Tableau 2020.2, the Oracle connector uses JDBC.

Web authoring and user Kerberos authentication

When configuring Connect to Data for a given target, you may select Integrated or Windows authentication as the preferred authentication method. However, for web authoring scenarios, the default behaviour will be to use the Kerberos service account (“Run As” account) instead.

To enable user credentials in web authoring scenarios with Kerberos delegation, you must make an additional configuration using TSM. Run the following commands:

tsm configuration set -k native_api.WebAuthoringAuthModeKerberosDelegation -v true
tsm pending-changes apply

After making this configuration, Kerberos Delegation becomes the default operation when selecting integrated authentication with web authoring. However, this setting will not prevent content creators from accessing the service account. Creators can still publish content that connects with the Run As service account, using Tableau Desktop or other methods.

For more information on Run As service account, see Data Access with the Run As Service Account.

Configuration process

This section provides an example of the process to enable Kerberos delegation. The scenario also includes example names to help describe the relationships between the configuration elements.

  1. On all nodes in Tableau Server, configure the Run As User to act as part of the operating system. For more information, see Enable Run As Service Account to Act as the Operating System.

  2. Tableau Server will need a Kerberos service ticket to delegate on behalf of the user that is initiating the call to the database. You must create a domain account that will be used to delegate to the given database. This account is referred to as the Run As service account. In this topic, the example user configured as the delegation/Run As account is tabsrv@example.com.

    The account must be configured with Active Directory User and Computers on a Windows Server that is connected to the user domain:

    • Open the Properties page for the Run As service account, click the Delegation tab and select Trust this user for delegation to specified services only and Use any authentication protocol.
  3. Run the following TSM command to enable Kerberos delegation:

    tsm configuration set -k wgserver.delegation.enabled -v true

  4. Run the following TSM command apply the changes to Tableau Server:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case, there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behaviour. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

  5. (Optional) Configure Tableau Server to use MIT Kerberos principal format.

    By default, Tableau Server generates Kerberos principals using the Active Directory short name. For example, if Tableau Server performs Kerberos delegation for a user in EXAMPLE.COM, with a short name EXAMPLE, then the principal name will be: user@example.

    If your database is running on Linux, you may need to adjust the auth_to_local mapping in krb5.conf. For information about editing the krb5.conf file, see Kerberos delegation multi-domain configuration. Alternatively, you can configure Tableau Server to use the full domain name for Kerberos principals by running the following commands:

    tsm configuration set -k native_api.protocol_transition_a_d_short_domain -v false --force-keys
    tsm configuration set -k native_api.protocol_transition_uppercase_realm -v true --force-keys
    tsm pending-changes apply
  6. Enable delegation for data connections:

    See also

    Troubleshoot Kerberos

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!