Enabling Kerberos Delegation for PostgreSQL

Version 1

    Starting with Tableau Server 9.3, Tableau Server supports Kerberos authentication with a PostgreSQL data source.

     

    To use Kerberos authentication with a PostgreSQL data source, you need to do the following:

     

    • Configure Tableau Server for Kerberos. For more information see Configure Kerberos in the Tableau Help. With Tableau Server configured, you can use Kerberos for single sign-on (SSO) between Tableau Desktop or a web browser and Tableau Server.

    • Enable Kerberos delegation in Active Directory (AD). To do this, you need to be a domain administrator for your AD domain. The following steps describe how to enable Kerberos delegation in AD.

     

    Note: Postgres must be configured so the user sent by the driver matches an entry in pg_hba or pg_ident. The username sent by the driver is whatever the system login username is, typically unqualified with the domain. If no mapping has been setup between the pg_hba rule and an entry pg_ident, this may (if include_realm is enabled) result in a mismatch.

     

    For example: A user "tabrocks" is logged into a domain account MY.DOMAIN, and PostgreSQL is configured for Kerberos in the following way:

     

    pg_hba.conf:


    host all all 0.0.0.0/0 gss include_realm=1 krb_realm=MY.DOMAIN map=mykrbmap

     

    pg_ident.conf:


    mykrbmap /^(.*)@MY\.DOMAIN$ \1-mydomain

     

    The postgres driver will send "tabrocks" as the username and tabrocks@MY.DOMAIN as the Kerberos principal. GSS authentication occurs and the user tabrocks@MY.DOMAIN is mapped back (using the mykrbmap command) to the internal postgres user, "tabrocks-mydomain".

     

    Step 1: Specify the Run As User for delegation

    1. On the Active Directory domain controller, start the Active Directory Users and Computers (ADUC) tool.

    2. In the left pane (Active Directory Domain Services), click Users.

    3. In the Users pane, right-click the name of the user which Tableau Server runs under. This account will be used to set up delegation. Click Properties .

    4. In the Properties dialog box, select the Delegation tab.

    5. In the Delegation section, select Trust this user for delegation to specified services only.

    6. Select Use any authentication protocol.

     

    Step 2: Add PostgreSQL service accounts for delegation

    1. On the Delegation tab, click Add.

    2. In the Add Services dialog box, click Add Users or Computers.

    3. In the text field, type the name of the PostgreSQL service account and then click Check Names. The account should be found.

    4. Click OK.The SPN (Service Principal Name) list is populated.

    5. Sort the SPN list by Service Type to locate services of POSTGRES type.

    6. Select the two SPNs of type POSTGRES For the PostgreSQL server and then click OK.The SPNs should now appear in the SPN list in the delegation section of the properties window for the user.

    7. Click OK.

     

    Step 3: Troubleshooting

    When Tableau Server is correctly configured for Kerberos you should be able to select the Viewer Credentials authentication option when publishing a workbook.

    For more troubleshooting suggestions, see Troubleshoot Kerberos in the Tableau help.

    Enabling Kerberos Delegation for PostgreSQL