Kerberos is coming to Tableau very soon. Many of you have asked for Kerberos support to provide single sign-on from the client all the way to the database. Well, I’m excited to announce the beta of Tableau 8.3, which delivers support for Kerberos for Microsoft SQL Server, Microsoft Analysis Server, and Cloudera Impala.
Tableau already supports enterprise class security and authentication mechanisms like integration with Active Directory and Identity Management providers with SAML. In addition, Tableau Server supports native authentication for smaller teams that want to use Server out of the box. With the release of 8.3, we are extending that flexibility further to include support for Kerberos.
Kerberos is a secure authentication protocol, which delivers single sign-on for end users across multiple services on a network, using strong cryptography. It was originally developed by MIT using 3 distinct services (Key Distribution Center, also known as KDC, Authentication Service, and Ticket Granting Service) in addition to encryption to ensure the user is authenticated to various services on the network and communication is secured. The name Kerberos is a tribute to the three-headed dog of Greek mythology that guarded the gates of Hades.
So, what does Kerberos support mean for Tableau users?
- It provides a seamless, single-sign-on experience from an end user’s Tableau client to the backend data source.
- It leverages existing IT investments in enterprise-grade authentication and data security.
- It extends to smart card authentication.
- It enables easy user administration and management.
As an end user, the Tableau Server experience with Kerberos becomes more delightful in many ways:
- No prompting of user credentials when signing-in to Tableau Server from a Windows or Mac Tableau desktop client
- When viewing a workbook that uses a live connection to a supported data source, the user will automatically be signed-in to the data source as himself
- When viewing a workbook that uses a live connection to a supported data source, the user will only be able to see the data that he has access to
As an author, the publishing workflow hasn’t changed, except for the new ability to select “Viewer Credentials” for authentication.
Configuring Kerberos in various systems can cause painful problems. However, working closely with our Alpha customers (a big thank you to you!), we made improvements to make it easy to enable Kerberos in Tableau.
When configuring Tableau Server, follow these 4 simple steps to ensure Kerberos is configured and working as shown in Figure 1.
Figure 1: Kerberos Configuration for Tableau Server
As a Tableau Server administrator, verify the below before following the next steps:
- Verify that you have Domain Administrator privileges and access to the Domain Controller server
- Verify that the server is using Active Directory integration
- Check the “Enable Kerberos for single sign-in” box to enable a step-by-step guide for the rest of the configuration
Step 1: Tableau Server provides a script for your domain administrator to run on the domain controller (AD) machine to configure Kerberos. Specifically, for those of you that are familiar with Kerberos, this script will set up the SPNs and generate the keytabs.
Step 2: The domain administrator runs the script on the domain controller.
Step 3: A keytabs file will be returned and needs to be applied in the server configuration. This will place the keytabs file in the correct folder for Tableau Server.
Step 4: Test to see if the Kerberos configuration is correct and working.
Once the server is configured and a few workbooks with ‘Viewer Credentials’ have been published, an icon, similar to Figure 2, will appear in place of a preview for the viz. This behavior is by design for Kerberos and prevents users without authorization from seeing any data that they shouldn’t in preview images.
Figure 2: User Specific Preview Icons
Hopefully this gives you a good sense of what Tableau Server’s support for Kerberos enables you to do, and also provides some brief insights into deploying your own beta (To receive access to the Beta, email your account manager to be nominated and added to the program). There will be a lot more information about how to install and configure Tableau Server with Kerberos in the administration guide. I encourage all of you to participate in the beta and ensure your workbooks are working as expected. One of our key goals for the beta is to maximize participation to ensure there are no regressions with your workbooks in your environment.