Enabling Kerberos Delegation for Teradata

Version 2

    Starting with Tableau Server 9.3, Tableau Server supports Kerberos authentication with a Teradata data source.

     

    To use Kerberos authentication with a Teradata data source, you need to do the following:

     

    • Configure Tableau Server for Kerberos. For more information see Configure Kerberos in the Tableau Help. With Tableau Server configured, you can use Kerberos for single sign-on (SSO) between Tableau Desktop or a web browser and Tableau Server.

    • Enable Kerberos delegation in Active Directory (AD). To do this, you need to be a domain administrator for your AD domain. The following steps describe how to enable Kerberos delegation in AD.

     

    Note: Tableau Server does not support using Kerberos with a Teradata data source if the Teradata server is in a different domain than Tableau Server.

     

    Step 1: Specify the Run As User for delegation

    1. On the Active Directory domain controller, start the Active Directory Users and Computers (ADUC) tool.

    2. In the left pane (Active Directory Domain Services), click Users.

    3. In the Users pane, right-click the name of the user which Tableau Server runs under. This account will be used to set up delegation. Click Properties .

    4. In the Properties dialog box, select the Delegation tab.

    5. In the Delegation section, select Trust this user for delegation to specified services only.

    6. Select Use any authentication protocol.

     

    Step 2: Add Teradata service accounts for delegation

    1. On the Delegation tab, click Add.

    2. In the Add Services dialog box, click Users or Computers.

    3. In the text field, type the name of the Teradata service account and then click Check Names. The account should be found.

    4. Click OK.The Available Services list is populated with the SPNs (Service Principal Names).

    5. Sort the SPN list by Service Type to locate services of TERADATA type.

    6. Select the two SPNs of type TERADATA for the Teradata server and then click OK.The SPNs should now appear in the SPN list in the delegation section of the properties window for the user.

    7. Click OK.

     

    Step 3: Troubleshooting

    When Tableau Server is correctly configured for Kerberos you should be able to select the Viewer Credentials authentication option when publishing a workbook.

     

    For more troubleshooting suggestions, see Troubleshoot Kerberos in the Tableau help.