Enable Kerberos Delegation for JDBC Connectors

As of version 2020.2, Tableau Server supports Kerberos delegation for JDBC connectors.

Kerberos delegation enables Tableau Server to use the Kerberos credentials of the viewer of a workbook or view to execute a query on behalf of the viewer. This is useful in the following situations:

  • You need to know who is accessing the data (the viewer's name will appear in the access logs for the data source).

  • Your data source has row-level security, where different users have access to different rows.

Supported data sources

Tableau supports JDBC Kerberos RunAs authentication with the following data sources:

  • Oracle
  • PostgreSQL

If you are configuring delegation with an Oracle data source using a JDBC-based connector, then follow the procedure in this topic. Alternatively, if the connector you are running on Tableau Server uses a native driver, then follow the procedure in the help topic, Enable Kerberos Delegation.

Requirements

Kerberos delegation requires Active Directory.

  • The Tableau Server information store must be configured to use LDAP - Active Directory.
  • MIT KDC is not supported.

Note: You do not need to enable the Run As account to act as the operating system.

Configuration process

This section provides an example of the process to enable Kerberos delegation.

  1. Tableau Server will need a Kerberos service ticket to delegate on behalf of the user that is initiating the call to the database. You must create a domain account that will be used to delegate to the given database. This account is referred to as the Run As service account. In this topic, the example user configured as the Run As account is tabsrv@EXAMPLE.COM.

    The account must be configured for delegation in Active Directory:

    1. On a Windows Server that is connected to the user domain, open Active Directory Users and Computers.
    2. On the Properties page for the Run As service account, click the Delegation tab and select Trust this user for delegation to specified services only and Use any authentication protocol.
  2. Create a keytab file for the Run As service account.

    This following example uses the ktab tool that is provided with the JDK . You can download the tool at AdoptOpenJDK(Link opens in a new window). When using ktab to create the keytab, use a logon principal in UPN format (for example, service@EXAMPLE.COM), and not a service principal name (for example, HTTP/service.example.com@EXAMPLE.COM). You may also generate keytabs with the ktpass utility, in which case you can use either style of principal name.

    <JDK_HOME>/bin/ktab -k E:/tmp/tabsrv.keytab -a tabsrv@EXAMPLE.COM

    Tableau Server will use the Run As service account and the associated keytab to authenticate and make a direct connection to the database.

  3. Copy the keytab into the Tableau Server data directory and verify that the Run As service account can access and read the keytab file. By default the Tableau Server data directory is at C:\ProgramData\Tableau. If you are running Tableau Server in a distributed deployment, perform this step on each node in the cluster.

  4. Create a krb5.conf file, and install in C:\Windows on all Tableau Server nodes.

    If you already have a krb5.ini file deployed on computers in your organization, copy that file and use it for Tableau Server. For more information, see the MIT Kerberos Documentation topic, krb5.conf(Link opens in a new window).

    To change the location of Kerberos configuration file run the following TSM command:

    tsm configuration set -k native_api.kerberos_config_path --force-keys -v "C:\temp\krb5.ini"

    The following is an example of a krb5.conf file. Tableau Support cannot assist with creating krb5.conf.

    [libdefaults]
    forwardable = true
    default_realm = EXAMPLE.COM
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    
    [realms]
    EXAMPLE.COM = {
    kdc = kdc.example.com
    admin_server = kdc.example.com
    }
    
    [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
  5. Run the following TSM commands to enable Kerberos delegation, set the delegation service account, and associate the keytab file with the service account:

    tsm configuration set -k wgserver.delegation.enabled -v true
    tsm configuration set -k native_api.datasource_impersonation_runas_principal -v tabsrv@EXAMPLE.COM
    tsm configuration set -k native_api.datasource_impersonation_runas_keytab_path -v <path-to-file>kerberos.keytab
    tsm configuration set -k native_api.protocol_transition_a_d_short_domain -v false
    tsm configuration set -k native_api.protocol_transition_uppercase_realm -v true

    In some cases, TSM may return an error mentioning --force-keys. If you get this error, run the command again with the --force-keys parameter appended to the argument.

  6. Run the following TSM command apply the changes to Tableau Server:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!