Kerberos Requirements
You can configure Kerberos authentication for Tableau Server running in Active Directory environments.
General requirements
-
External Load Balancer/Proxy Server: If you are going to use Tableau Server with Kerberos in an environment that has external load balancers (ELBs) or proxy server, you need to set these up before you configure Kerberos in the Tableau Server Configuration utility. See Configuring Proxies and Load Balancers for Tableau Server.
-
iOS Browser Support: An iOS user can use Kerberos authentication with mobile Safari if a Configuration Profile specifying the user's Kerberos identity is installed. See Configuring an iOS Device for Kerberos Support(Link opens in a new window) in the Tableau Mobile Help. For more information about browser support for Kerberos SSO, see Tableau Client Support for Kerberos SSO.
-
Tableau Server supports constrained delegation for authentication to data sources. In this scenario, the Tableau data access account is specifically granted rights to the target database SPNs. Unconstrained delegation is not supported.
-
The supported data sources (SQL Server, MSAS, PostgreSQL, Hive/Impala, and Teradata) must be configured for Kerberos authentication.
-
A keytab file that is configured with the service provider name for the Tableau Server for user authentication. For more information, see Understanding Keytab Requirements.
-
Beginning in Tableau Server 2021.2.25, 2021.3.24, 2021.4.19, 2022.1.15, 2022.3.7, and 2023.1.3 (or later), ensure keytab files are created with AES-128 or AES-256 ciphers. RC4 and 3DES ciphers are no longer supported. For more information, see "Tableau Server could not authenticate you automatically"(Link opens in a new window) in the Tableau Knowledge Base.
Active Directory requirements
You must meet the following requirements to run Tableau Server with Kerberos in an Active Directory environment:
-
Tableau Server must use Active Directory (AD) for authentication.
-
The domain must be an AD 2003 or later domain for Kerberos connections to Tableau Server.
-
Smart Card Support: Smart cards are supported when users sign into their workstations with a smartcard and this results in a Kerberos TGT being granted to the user from Active Directory.
-
Single-Sign On (SSO): Users must be granted a Kerberos Ticket Granting Ticket (TGT) from Active Directory when they sign into their computers. This is standard behavior for domain-joined Windows computers and standard for Mac computers that use AD as their network account server. For more information on using Mac computers and Active Directory, see Join your Mac to a network account server(Link opens in a new window) in the Apple Knowledge Base.
Kerberos delegation
For Kerberos delegation scenarios the following are required:
-
If the domain is AD 2003 or later, single domain Kerberos delegation is supported. The users, Tableau Server, and backend database must be on the same domain.
-
If the domain is AD 2008, there is limited cross domain support. Users from other domains can be delegated if the following conditions are met. Tableau Server and the backend database must be on the same domain, and a two way trust is required between the domain where Tableau Server resides and the user’s domain.
-
If the domain is 2012 or later, full cross-domain delegation is supported. AD 2012 R2 is preferred because it has a dialog for configuring constrained delegation, while 2012 non-R2 requires manual configuration.