Enable Kerberos Run As Authentication for JDBC Connectors

As of version 2020.2, Tableau Server supports Kerberos authentication for JDBC connectors.

You can configure Tableau Server to use a Kerberos service account to access a database. In this scenario, Tableau Server connects to databases with a service account, also referred to as a "Run As service account". This scenario is referred to as "Run As authentication"

See Run As Service Account.

To use Run As authentication on Tableau Server you must first create a workbook or datasource in Tableau Desktop that uses integrated authentication. When you publish to Tableau Server you will get the option to use Run As authentication. When creating a datasource with Web Authoring, Run As authentication is the default operation if you select integrated authentication.

Supported data sources

Tableau supports JDBC Kerberos delegation with the following data sources:

  • Oracle
  • PostgreSQL

If you are configuring Run As authentication for an Oracle data source using a JDBC-based connector, then follow the procedure in this topic. Alternatively, if the connector you are running on Tableau Server uses a native driver, you do not have to follow the steps in this topic. Instead, follow the steps to create a Run As service account as documented in the topic, Change the Run As Service Account.

Requirements

Kerberos delegation requires Active Directory.

  • The Tableau Server information store must be configured to use LDAP - Active Directory.
  • MIT KDC is not supported.

Configuration process

This section provides an example of the process to enable Kerberos RunAs authentication.

  1. Create a keytab file for the Run As service account.

    This following example uses the ktab tool that is provided with the JDK . You can download the tool at AdoptOpenJDK(Link opens in a new window). When using ktab to create the keytab, use a logon principal in UPN format (for example, service@EXAMPLE.COM), and not a service principal name (for example, HTTP/service.example.com@EXAMPLE.COM). You may also generate keytabs with the ktpass utility, in which case you can use either style of principal name.

    <JDK_HOME>/bin/ktab -k E:/tmp/tabsrv.keytab -a tabsrv@EXAMPLE.COM

    Tableau Server will use the Run As service account and the associated keytab to authenticate and make a direct connection to the database.

  2. Copy the keytab into the Tableau Server data directory and verify that the Run As service account can access and read the keytab file. By default the Tableau Server data directory is at C:\ProgramData\Tableau. If you are running Tableau Server in a distributed deployment, perform this step on each node in the cluster.

  3. Run the following TSM commands to set the Run As service account and the path to the keytab file:

    tsm configuration set -k native_api.datasource_runas_principal -v tabsrv@EXAMPLE.COM
    tsm configuration set -k native_api.datasource_runas_keytab_path -v <path-to-file>kerberos.keytab

    In some cases, TSM may return an error mentioning --force-keys. If you get this error, run the command again with the --force-keys parameter appended to the argument.

  4. Create a krb5.conf file, and install in C:\Windows on all Tableau Server nodes.

    If you already have a krb5.ini file deployed on computers in your organization, copy that file and use it for Tableau Server. For more information, see the MIT Kerberos Documentation topic, krb5.conf(Link opens in a new window).

    To change the location of Kerberos configuration file run the following TSM command:

    tsm configuration set -k native_api.kerberos_config_path --force-keys -v "C:\temp\krb5.ini"

    The following is an example of a krb5.conf file. Tableau Support cannot assist with creating krb5.conf.

    [libdefaults]
    forwardable = true
    default_realm = EXAMPLE.COM
    default_tkt_enctypes = rc4-hmac
    default_tgs_enctypes = rc4-hmac
    
    [realms]
    EXAMPLE.COM = {
    kdc = kdc.example.com
    admin_server = kdc.example.com
    }
    
    [domain_realm]
    .example.com = EXAMPLE.COM
    example.com = EXAMPLE.COM
  5. Run the following TSM command apply the changes to Tableau Server:

    tsm pending-changes apply

    If the pending changes require a server restart, the pending-changes apply command will display a prompt to let you know a restart will occur. This prompt displays even if the server is stopped, but in that case there is no restart. You can suppress the prompt using the --ignore-prompt option, but this does not change the restart behavior. If the changes do not require a restart, the changes are applied without a prompt. For more information, see tsm pending-changes apply.

Thanks for your feedback!Your feedback has been successfully submitted. Thank you!