Enabling Kerberos Delegation for SQL Server

Version 2

    Starting with Tableau Server 8.3, Tableau Server supports Kerberos authentication.

     

    To use Kerberos authentication with a SQL Server data source, you need to do the following:

     

    • Configure Tableau Server for Kerberos. For more information see Configure Kerberos in the Tableau Help. With Tableau Server configured, you can use Kerberos for single sign-on (SSO) between Tableau Desktop or a web browser and Tableau Server.

    • Enable Kerberos delegation in Active Directory (AD). To do this, you need to be a domain administrator for your AD domain. The following steps describe how to enable Kerberos delegation in AD.

     

    Note  To help you configure Kerberos, Tableau Support provides information about the Active Directory permissions that are required in order to enable SQL Server delegation. However, the Support team cannot assist customers in making changes to their Active Directory settings. If you need help with Active Directory configuration, consult your internal Active Directory support team or Microsoft.

     

    Step 1: Specify the Run As User for delegation

    1. On the Active Directory domain controller, start the Active Directory Users and Computers (ADUC) tool.

    2. In the left pane (Active Directory Domain Services), click Users.

    3. In the Users pane, right-click the name of the Run As User who will be doing the delegation and then click Properties .

    4. In the Properties dialog box, in the left pane, select Delegation.

    5. In the Delegation section, select Trust this user for delegation to specified services only.

    6. Select Use any authentication protocol.

     

    Step 2: Add SQL Server service accounts for delegation

    1. To specify the services to be delegated, click Add.

    2. In the Add Services dialog box, click Add Users or Computers.

    3. In the text field, type the name of the SQL Server service account and then click Check Names. The account should be found.

    4. Click OK.The SPN (Service Principal Name) list is populated.

    5. Sort the SPN list by Service Type to locate services of MSSQLSvc type.

    6. Select the two SPNs of type MSSQLSvc for the SQL server and then click OK.The SPNs should now appear in the SPN list in the delegation section of the properties window for the user.

    7. Click OK.