Kerberos is a three-way authentication protocol that relies on the use of a trusted third-party network service called the Key Distribution Center (KDC) to verify the identity of computers and provide for secure connections between the computers through the exchange of tickets. These tickets provide mutual authentication between computers or services, verifying that one has permission to access the other.
Tableau Server supports Kerberos authentication in an Active Directory Kerberos environment, with authentication to Tableau Server being handled by Kerberos.
- The Kerberos support in Tableau Server is for user authentication. It does not handle internal permissions and authorization related to Tableau Server content, such as workbooks.
- Identity pools, which is a tool designed to complement and support additional user provisioning and authentication options you might need in your organization, supports OpenID Connect (OIDC) authentication only. For more information, see Provision and Authenticate Users Using Identity Pools.
How Kerberos works
When you configure Tableau Server for Kerberos in an Active Directory (AD) environment, the AD domain controller also serves as the Kerberos Key Distribution Center (KDC) and issues Ticket Granting Tickets to the other nodes in the domain. Users authenticated by the KDC do not have to authenticate further when connecting to Tableau Server.
The following is a diagram of the authentication workflow.
|User logs into their Active Directory domain.
|The Kerberos KDC authenticates the user and sends a Ticket Granting Ticket (TGT) to the user's computer.
|The user connects to Tableau Server in Tableau Desktop or in a web browser.
Tableau Server authenticates the user.