cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring SSO for Tableau Server

Rob_Z_
Occasional Contributor

Configuring SSO for Tableau Server

Has anyone successfully set up SSO for Tableau server.  I'm stumped.  I've got the resource policy configured and all my SSO policies work just fine with all of our other resources.  When attempting to connect to Tableau the user is presented with a Kerberos authentication page from the appliance.  Entering in username and password and realm does not work.  User logs show a successfull TGT and Service Ticket, but there's no information in the Security log of the server.  It's as if the credentials are not being passed to the server.

 

Just wondering if anyone has seen something similar.

9 REPLIES 9
jayLaiz_
Super Contributor

Re: Configuring SSO for Tableau Server

Hi,

 

Can you take an http watch log (www.httpwatch.com) in the LAN when accessing the server, we can see what authentication methods the backend server is challenging for.

 

If NTLM is one of the authenticaton challenge methods, we can try configuring NTLM SSO.

 

Regards,

Jay

Rob_Z_
Occasional Contributor

Re: Configuring SSO for Tableau Server

I don't have a license for httpwatch, checking to see if one of my co-workers does, and the free version does not provide information for an internal resource.

 

I've configured SSO for NoSSO, Basic, NTLM, and Kerberos, all with no success.  When configured for NoSSO or Basic I get a kerberos challenge from Juniper, which is expected.  When configured for NTLM or Kerberos, I get the NTLM or Kerberos response page respectively, but entering in valid credentials in either configuration does not work.  I know that the credentials are valid as the site loads correctly when on the LAN/WAN.  It's as if the credentials are not being passed to the backend or the backend is rejecting valid credentials.

zanyterp_
Respected Contributor

Re: Configuring SSO for Tableau Server

On your dsrecord/session recording, do you see the correct credentials being passed on the 401 request/response from the server?
Rob_Z_
Occasional Contributor

Re: Configuring SSO for Tableau Server

No I don't.  However I'm not sure if the credentials are hashed or not.  I ran a dsrecord and saw that the authorization was in fact NTLM.  I modified the SSO policies accordingly but it's still failing to SSO and manual passing of the credentials is still not working either.  Still no security logs on the server itself to show a failed logon.  The new dsrecord is below after switching SSO to NTLM.  ############## values represent things I wasn't comfortable sharing.

 

---- dsrecord.request.after.header:None - 10045.00006 - { 390 } ---- 20130221093044.873459 ----
GET /auth?destination=%2F HTTP/1.0
Host: #####################
Connection: Keep-Alive
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Authorization: NTLM ##############################
Cookie: workgroup_session_id=40f4d663d16051313ffff328271d1abc


---- dsrecord.response.before.header:None - 10045.00007 - { 773 } ---- 20130221093044.876014 ----
HTTP/1.1 401 Authorization Required
Date: Thu, 21 Feb 2013 14:30:44 GMT
Server: Apache/2.2.21 (Win32) mod_auth_sspi/1.0.4
WWW-Authenticate: NTLM #########################
Last-Modified: Fri, 08 Feb 2013 00:44:34 GMT
ETag: "b09-4d52bdcff7169"
Accept-Ranges: bytes
Content-Length: 2825
Vary: Accept-Encoding
P3P: CP="NON"
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

jayLaiz_
Super Contributor

Re: Configuring SSO for Tableau Server

Hi,

 

Can you see if there is an intial basic auth SSO policy applied to the role,if so can you unassign that role concerned from that policy and check.

 

Regards,

Jay

zanyterp_
Respected Contributor

Re: Configuring SSO for Tableau Server

the server is also sending/replying with a kerberos prompt (www-authenticate: negotiate)

are you seeing the user access log connecting successfully/triggering of the web credential policy?

what is your web encoding policy at users>resource policies>web>encoding? There is something more severe happening if the manual credentials are failing; do those fail as well if you have all SSO policies configured?

Rob_Z_
Occasional Contributor

Re: Configuring SSO for Tableau Server

We do not have any web encoding policies defined.

 

When configured for Kerberos I do see the Web SSO triggering, but I don't get an authentication successful event in the user log.  When I try to force NTLM I do not see the Web SSO triggering.  

 

Manual entering of credentials never works no matter what SSO policies are configured.

 

I've found that if I configure a NoRewrite policy and use WSAM I can manually enter credentials and access the resource.  This is not the preferred configuration though.

 

Logs below for Kerberos SSO.

 

Unsuccessful attempt to Tableau server

Info WEB24618 2013-02-22 17:30:31 - PRIMARY - [#] #(#)[General Access, Outlook Web Access - SS, Tableau Users - Mascocorp] - Web SSO: Fetched Kerberos Service Ticket Client: #@#, Server: #, auth 02/22/13 17:30:31, start 02/22/13 17:30:31, end 02/23/13 03:30:31, renew 12/31/69 19:00:00, current 02/22/13 17:30:31
Info WEB24618 2013-02-22 17:30:31 - PRIMARY - [#] #(#)[General Access, Outlook Web Access - SS, Tableau Users - Mascocorp] - Web SSO: Fetched Kerberos TGT Ticket Client: #@#, Server: #/#, auth 02/22/13 17:30:31, start 02/22/13 17:30:31, end 02/23/13 03:30:31, renew 12/31/69 19:00:00, current 02/22/13 17:30:31
Info WEB20169 2013-02-22 17:30:30 - PRIMARY - [#] #(#)[General Access, Outlook Web Access - SS, Tableau Users - Mascocorp] - WebRequest ok : Host: #, Request: GET /auth?destination=%2F HTTP/1.1

 

Successful attempt to Sharepoint server

AUT24796 2013-02-22 17:31:44 - PRIMARY - [#] #(#)[General Access, Outlook Web Access - SS, Tableau Users - Mascocorp] - Web SSO: Authentication successful. Credential Used: Username: #, Realm: #, Auth Type: (32) Kerberos, Cred Type: (0) System Credential, Target: #, Has Ticket: 1,

Info WEB24618 2013-02-22 17:31:42 - PRIMARY - [#] #(#)[General Access, Outlook Web Access - SS, Tableau Users - Mascocorp] - Web SSO: Fetched Kerberos Service Ticket Client: #@#, Server: #@#, auth 02/22/13 17:30:31, start 02/22/13 17:31:42, end 02/23/13 03:30:31, renew 12/31/69 19:00:00, current 02/22/13 17:31:42
Info WEB20169 2013-02-22 17:31:42 - PRIMARY - [#] #(#)[General Access, Outlook Web Access - SS, Tableau Users - Mascocorp] - WebRequest ok : Host: #, Request: GET /sites/it/ HTTP/1.1

 

 

Rob_Z_
Occasional Contributor

Re: Configuring SSO for Tableau Server

I'm kind of spitballing here, but does anyone know of any SSL requirements for Kerberos or NTLM SSO with Apache as a backend?  I was looking at the server software configuration and noticed that the application owner did not configure the application to use SSL.  I'm tempted to ask him to enable SSL and load a valid certificate as I'm willing to try anything at this point to get it working.

zanyterp_
Respected Contributor

Re: Configuring SSO for Tableau Server

I haven't heard of any; but that doesn't mean they don't exist in some infrastructures, just that I haven't worked on any yet.

When you look at the dsrecord/session recording without any SSO policies configured, do you see the credential going through succesfully (meaning it is encoded and sent correctly)?

It is possible that one side of that web connection is not liking what the other is doing.