Extending Enterprise Security with Kerberos Support: Now in Beta!

By Neelesh Kamkolkar October 20, 2014

Kerberos is coming to Tableau very soon. Many of you have asked for Kerberos support to provide single sign-on from the client all the way to the database. Well, I’m excited to announce the beta of Tableau 8.3, which delivers support for Kerberos for Microsoft SQL Server, Microsoft Analysis Server, and Cloudera Impala.

Tableau already supports enterprise class security and authentication mechanisms like integration with Active Directory and Identity Management providers with SAML. In addition, Tableau Server supports native authentication for smaller teams that want to use Server out of the box. With the release of 8.3, we are extending that flexibility further to include support for Kerberos.

Background on Kerberos

Kerberos is a secure authentication protocol, which delivers single sign-on for end users across multiple services on a network, using strong cryptography. It was originally developed by MIT using 3 distinct services (Key Distribution Center, also known as KDC, Authentication Service, and Ticket Granting Service) in addition to encryption to ensure the user is authenticated to various services on the network and communication is secured. The name Kerberos is a tribute to the three-headed dog of Greek mythology that guarded the gates of Hades.

Kerberos in Tableau 8.3

So, what does Kerberos support mean for Tableau users?

  • It provides a seamless, single-sign-on experience from an end user’s Tableau client to the backend data source.
  • It leverages existing IT investments in enterprise-grade authentication and data security.
  • It extends to smart card authentication.
  • It enables easy user administration and management.

As an end user, the Tableau Server experience with Kerberos becomes more delightful in many ways:

  • No prompting of user credentials when signing-in to Tableau Server from a Windows or Mac Tableau desktop client
  • When viewing a workbook that uses a live connection to a supported data source, the user will automatically be signed-in to the data source as himself
  • When viewing a workbook that uses a live connection to a supported data source, the user will only be able to see the data that he has access to

As an author, the publishing workflow hasn’t changed, except for the new ability to select “Viewer Credentials” for authentication.

For IT Administrators: How to configure Kerberos

Configuring Kerberos in various systems can cause painful problems. However, working closely with our Alpha customers (a big thank you to you!), we made improvements to make it easy to enable Kerberos in Tableau.

When configuring Tableau Server, follow these 4 simple steps to ensure Kerberos is configured and working as shown in Figure 1.

Figure 1: Kerberos Configuration for Tableau Server

As a Tableau Server administrator, verify the below before following the next steps:

  • Verify that you have Domain Administrator privileges and access to the Domain Controller server
  • Verify that the server is using Active Directory integration
  • Check the “Enable Kerberos for single sign-in” box to enable a step-by-step guide for the rest of the configuration

Step 1: Tableau Server provides a script for your domain administrator to run on the domain controller (AD) machine to configure Kerberos. Specifically, for those of you that are familiar with Kerberos, this script will set up the SPNs and generate the keytabs.

Step 2: The domain administrator runs the script on the domain controller.

Step 3: A keytabs file will be returned and needs to be applied in the server configuration. This will place the keytabs file in the correct folder for Tableau Server.

Step 4: Test to see if the Kerberos configuration is correct and working.

Once the server is configured and a few workbooks with ‘Viewer Credentials’ have been published, an icon, similar to Figure 2, will appear in place of a preview for the viz. This behavior is by design for Kerberos and prevents users without authorization from seeing any data that they shouldn’t in preview images.

Figure 2: User Specific Preview Icons

Hopefully this gives you a good sense of what Tableau Server’s support for Kerberos enables you to do, and also provides some brief insights into deploying your own beta (To receive access to the Beta, email your account manager to be nominated and added to the program). There will be a lot more information about how to install and configure Tableau Server with Kerberos in the administration guide. I encourage all of you to participate in the beta and ensure your workbooks are working as expected. One of our key goals for the beta is to maximize participation to ensure there are no regressions with your workbooks in your environment.


Submitted by Neelesh Kamkolkar (not verified) on

Here is an introductory video walk through of the feature.


Submitted by Paul B. on

Thanks. This feature is key for my users. We've worked with Tableau to help shape it so it's great to see it finally arrive.


Submitted by Wayne P. on

Where can I get my hands on the 8.3 beta?

Submitted by Neelesh Kamkolkar (not verified) on

Please drop me a note with your email address at nkamkolkar AT tableausoftware.com

If you are an existing customer, we should be able get you enrolled quickly.


Submitted by Darren W. on

This appears to be limited to SQL Server , when can we expect Oracle Kerberos authentication enabled ?
Furthermore, how does this work for the schedules as the Kerberos token would not be present ?

Submitted by Neelesh Kamkolkar (not verified) on

Thanks for your comment. The video primarily shows the SQL walk through. The support extends to SQL, Analysis Services and also Cloudera Impala. I can't provide you with specifics on roadmap in this forum, but our approach is to incrementally add support for the data sources. On your question about schedules, the server process(backgrounder for the schedules) is setup to get a ticket to itself on behalf of the end user using S4U2Self. For specific datasources, please submit your ideas and requests on the Ideas forum http://community.tableausoftware.com/community/ideas with any specifics/details (like are you using VPD etc.)


Submitted by Jeff S. on

can I get be part of the beta program?

Submitted by Damien L. on

Does this mean that the users will be automatically login to Tableau Server from their browser?

Even though our data source is not supported yet, it might be a good idea to use Kerberos instead of SAML.

Submitted by Go3K Games (not verified) on

Go3K.net is directory flash games update new-best free games online from internet. Here you can find game: Action game, Racing game, Girls game ..and more. Visit and play funny games at Go3k Games . thank you

Add new comment