Troubleshooting Mutual SSL Authentication
This topic describes possible mutual (two-way) SSL authentication issues and their causes, the messages that users might see, and possible mitigation for the issues.
For more information about mutual SSL authentication and LDAP, UPN, and CN user mapping, see the following topics:
We couldn't find a valid client certificate. Contact your Tableau Server administrator.
The client is missing a certificate.
If the client has no client certificate, the user sees this message during authentication:
We couldn't find a valid client certificate. Contact your Tableau Server administrator.
To resolve the issue, the user should contact the system administrator to generate a certificate for the client computer.
Invalid user name or password
The client doesn't support mutual SSL authentication.
Versions of Tableau Desktop older than version 9.1 do not support mutual SSL authentication. If an older version of Tableau Desktop is used to connect to Tableau Server that is configured for mutual SSL authentication, the following can occur:
-
If Tableau Server is configured to use fallback authentication, the client displays a sign-in dialog box and the user can enter a user name and password.
-
If the server is not configured to use fallback authentication, the user sees the following message and cannot connect to the server:
Invalid user name or password
For more information about fallback authentication, see Configure Mutual SSL Authentication.
We couldn't find your user name in the client certificate. Contact your Tableau Server administrator or sign in using your Tableau Server account.
Client certificates are not published to Active Directory.
If Tableau Server is configured to use Active Directory for authentication, and if user mapping is set to LDAP, Tableau Server sends the client certificate to Active Directory for authentication. However, if client certificates have not been published to Active Directory, authentication fails and the user sees the following message:
We couldn't find your user name in the client certificate. Contact your Tableau Server administrator or sign in using your Tableau Server account.
To resolve this issue, the system administrator should make sure that client certificates are published to Active Directory. Alternatively, the server should be configured to use a different user mapping (UPN or CN), and the system administrator should be sure that client certificates contain user names in the UPN or CN fields.
Users unexpectedly see a sign-in dialog box that displays an error message
If Tableau Server is configured to use mutual SSL authentication and certificates are available for use with users' computers, a user should not see a sign-in dialog box, because Tableau Server uses the certificate to authenticate the user. However, if the server does not recognize the user name in the certificate, the user sees a sign-in dialog box with an error message that indicates why the certificate was not used. This can occur when all of the following conditions are true:
-
Fallback authentication is enabled.
-
If the server is using UPN or CN mapping, the user name in the certificate's UPN or CN field is not recognized. If the server is using LDAP mapping, the certificate is not mapped to the user in Active Directory.
To resolve this issue, the system administrator should do the following, depending on how user mapping is configured on Tableau Server:
-
LDAP mapping: Make sure that the certificate is linked to the user, that the certificate is available for use with the user's computer, and that the user is configured as a Tableau Server user.
-
UPN or CN mapping: Make sure that the certificate is available for the user's computer, that the user name is in the certificate's UPN or CN field, and that the user name matches the user name on Tableau Server (including domain).
We couldn't find your user name in the client certificate. Contact your Tableau Server administrator
Certificate does not contain a valid Tableau Server user name.
The user name in the UPN or CN fields is missing or invalid
When Tableau Server is configured to use UPN or CN mapping, the server reads the user's name from the UPN or CN field of the certificate and then looks up the user name in Active Directory or in the local repository on Tableau Server. (The specific field that the server reads depends on which mapping—UPN or CN—the server is configured to use.) If the field that is supposed to contain the user name has nothing in it, the user sees the following message:
We couldn't find your user name in the client certificate. Contact your Tableau Server administrator.
If a client certificate contains a user name but Active Directory and Tableau Server don't recognize the user name, the user sees the following message:
Certificate does not contain a valid Tableau Server user name.
This can occur when all of the following conditions are true:
-
Tableau Server is configured to use UPN or CN mapping.
-
Fallback authentication is not enabled.
-
The client certificate has no user name in the UPN or CN field, or the user name in the UPN or CN field does not match a user name in Active Directory or on Tableau Server.
To resolve this issue, the system administrator should make sure that the user's certificate has the correct user name in the UPN or CN fields of the certificate.
The user is signed in using an unexpected user name (LDAP mapping)
When the server is configured to use Active Directory authentication and LDAP mapping, the certificate is linked to a user in Active Directory. If the certificate contains a user name in the UPN or CN field, that user name is ignored.
If the intention is that the user should be signed in with the user name in the UPN or CN fields, the server should be configured to use UPN or CN mapping.
The user is signed in as the incorrect user (UPN or CN mapping)
Under some circumstances, the user name in a UPN or CN field in the client certificate can be ambiguous. The result is that a user is signed in to the incorrect identity.
For more information about the conditions under which this issue can occur, see the section “Address user-name ambiguity in multi-domain organizations” in Mapping a Client Certificate to a User During Mutual Authentication.