Configuring Kerberos authentication on Tableau server running on Windows
The goal of this article is to give you one place to find all steps necessary to configure Kerberos authentication on the Tableau server. This article is a consolidation of several articles and blogs and at the end of each chapter I have added links to the original articles.
This article I will cover a scenario where the data source is Microsoft SQL Server and the information about server names, IP addresses, service accounts, and other components is listed below.
Server and the information about server names, IP addresses, service accounts and other components is listed below.
DOMAIN
- NETBIOS: TAB
- FQDN: TAB.NET
SQL Server
- IP: 10.1.0.3
- Name: SQLSRV01
- Service Account: SQLSVC01
- Login name: SQLADM
Tableau server
- IP: 10.1.0.4
- Name: TABSRV01
- Service Account: TABSVC01
- Login name: TABADM01
DNS
You probably already have a CNAME or an ARecord pointing at your load-balancer or to one of your Tableau servers. In my example, I will be using an ARecord that is pointing to my only tableau server.
Create an ARecord named tableau that points at the IP of the Tableau server.
Tableau -> 10.1.0.4
Configure Service Principal Names (SPNs)
Login to a Domain Controller or a machine running Windows with an account that has permissions to write to the Active Directory.
Go to Start/Run and type CMD (run as administrator)
Register SPNs for SQL Server
To register SPNs for the SQL Server run the following commands:
SETSPN -F -S MSSQLSvc/SQLSRV01 TAB\SQLSVC01
SETSPN -F -S MSSQLSvc/SQLSRV01.TAB.NET TAB\SQLSVC01To confirm that the SPNs have been configured correctly run the following command:
SETSPN -L TAB\SQLSVC01The result should look something like this:
Registered ServicePrincipalNames for CN=SQLSRV01,CN=Computers,DC=DC01,DC=TAB,DC=NET: MSSQLSvc/SQLSRV01
MSSQLSvc/SQLSRV01.TAB.NET
More information in registering Microsoft SQL SPNs
Register SPNs for Tableau
To register SPNs for the Tableau Server run the following commands:
SETSPN -F -S HTTP/TABLEAU TAB\TABSCV01
SETSPN -F -S HTTP/TABLEAU.TAB.NET TAB\TABSCV01To confirm that the SPNs have been configured correctly run the following command:
SETSPN -L TAB\TABSCV01The result should look something like this:
Registered ServicePrincipalNames for
CN=TABSCV01,OU=Service Accounts,DC=DC01,DC=TAB,DC=NET:
HTTP/TABSCV01
HTTP/TABSCV01.TAB.NETCreate KeyTab file
Run the following command from any server running Windows that is a member of the TAB.NET domain.
The account will need write permissions in your Active Directory:
KTPASS /princ HTTP/tableau.tab.net@tab.net /pass !password! /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1 /out kerberos.keytabEnabling Kerberos Delegation for SQL Server
Step 1: Specify the Run As User for delegation
1. On the Active Directory domain controller, start the Active Directory Users and Computers (ADUC) tool.
2. In the left pane (Active Directory Domain Services), click Users.
3. In the Users pane, right-click the name of the Run As User who will be doing the delegation (in my case TAB\TABSVC01)and then click Properties.
4. In the Properties dialog box, in the left pane, select Delegation.
5. In the Delegation section, select Trust this user for delegation to specified services only.
6. Select Use any authentication protocol.
Step 2: Add SQL Server service accounts for delegation
1. To specify the services to be delegated, click Add.
2. In the Add Services dialog box, click Add Users or Computers.
3. In the text field, type the name of the SQL Server service account (TAB\SQLSVC01) and then click Check Names. The account should be found.
4. Click OK. The SPN (Service Principal Name) list is populated.
5. Sort the SPN list by Service Type to locate services of MSSQLSvc type.
6. Select the two SPNs of type MSSQLSvc for the SQL server and then click OK. The SPNs should now appear in the SPN list in the delegation section of the properties window for the user.
7. Click OK.
Enable Run As Service Account to Act as the Operating System
To use Kerberos delegation with Tableau Server, you must configure the Run As service account to act as the operating system on each Tableau Server node.
- On the computer that is running Tableau Server, select Start > Control Panel > Administrative Tools > Local Security Policy.
- In the Local Security Settings window, expand Local Policies, click User Rights Assignments, and then right-click Act as part of the operating system and select Properties.
3. In the Act as part of the operating system Properties window, click Add User or Group.
4. Type the <domain>\<username> for the Tableau Server Run As service account (for example: TAB\TABSVC01), and then click Check Names.
5. When the account resolves correctly, it is underlined. Click OK.
6. Click OK to close the Local Security Policy windows.
Configure and Enable Kerberos
- Login to Tableau server
- Go to Start/Run and type CMD (run as administrator)
- Type the following command to register the keytab file that you cretated in one of the previous steps:
tsm configuration kerberos configure -keytabfile kerberos.keytab2. Type the following command to enable Kerberos:
tsm configuration kerberos enableEnable Kerberos delegation on Tableau server
1. Run the following TSM command to enable Kerberos delegation
tsm configuration set -k wgserver.delegation.enabled -v true2. Run the following TSM command apply the changes to Tableau Server:
tsm pending-changes applyKerberos delegation explained
Confirm functionality
Login to the Tableau portal http://tableau
Confirm that you have received a Kerberos ticket by running the klist command from CMD (in my example it is HTTP/tableau.tab.net)
klistResult:Client: User @ TAB.LOCAL
Server: HTTP/tableau.tab.net @ TAB.NET
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
