Enable Kerberos Delegation for Oracle

Version 5

    Starting with Tableau Server version 10.0, Tableau Server supports Kerberos authentication for Oracle data sources.

    To use this feature, you must install and configure software on both Tableau Desktop and Tableau Server.

    Disclaimer: This topic includes information about a third-party product. Please note that while we make every effort to keep references to third-party content accurate, the information we provide here might change without notice as Oracle changes. For the most up-to-date information, please consult Oracle documentation and support.

    Configure Tableau Desktop

    This section describes how to configure Tableau Desktop for Windows computer to use Kerberos on a Oracle connector.

    Prerequisites

    Before you can configure Kerberos for Oracle on Tableau Desktop, you must perform the following tasks on each installation of Tableau Desktop:

    Step 1: Set system environmental variables

    Follow the procedure in the Tableau Knowledge Base to set the required environment variables.

    Note: All file path examples in this document use C: drive as system drive. If you have installed to a different drive, change paths accordingly. In all cases, verify the paths. Oracle client paths will include the latest version (for example, 11.2.0), which might not match the file versions exactly as shown here.

    For the Oracle 11g client:

    • Set the ORACLE_HOME variable to C:\app\user_name\product\11.2.0\client_1
    • Set the TNS_ADMIN variable to C:\app\user_name\product\11.2.0\client_1\Network\Admin

    For the Oracle 12c client:

    • Set the ORACLE_HOME variable to C:\app\client\user_name\product\12.1.0\client_1
    • Set the TNS_ADMIN variable to C:\app\user_name\product\12.1.0\client_1\Network\Admin

    Step 2: Customize the sqlnet.ora file

    1. In a text editor, open the %ORACLE_HOME%\Network\Admin\sqlnet.ora file.
    2. Copy the following content into the file:

      For the Oracle 11g client

      SQLNET.KERBEROS5_REALMS= C:\Windows\krb5.realms

      SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, KERBEROS5)

      SQLNET.KERBEROS5_CONF = C:\Windows\krb5.ini

      SQLNET.KERBEROS5_CONF_MIT = TRUE

      SQLNET.KERBEROS5_CC_NAME = OSMSFT:

      For the Oracle 12c client

      SQLNET.KERBEROS5_REALMS = C:\Windows\krb5.realms

      SQLNET.AUTHENTICATION_SERVICES = (BEQ, TCPS, KERBEROS5PRE, KERBEROS5)

      SQLNET.KERBEROS5_CONF = C:\Windows\krb5.ini

      SQLNET.KERBEROS5_CONF_MIT = TRUE

      SQLNET.KERBEROS5_CC_NAME = OSMSFT:

    3. Save and close the file. You will need this file later when you configure Tableau Server.

    Step 3: (Optional) Create and customize the tnsnames.ora file

    If your users will be using the net service names, create the tnsnames.ora file.

    1. Open a text editor and copy the following content into the editor:

      ORCL =

      (DESCRIPTION =

            (ADDRESS = (PROTOCOL = TCP)(HOST = FQDN_of_Oracle_DB)(PORT = 1521))

            (CONNECT_DATA =

                  (SERVER = DEDICATED)

                  (SERVICE_NAME = orcl)

            )

      )

      where FQDN_of_Oracle_DB is the host name of the Oracle server your users will connect with, such as oracle1.dev.example.lan. You can add multiple host names to this parameter.

    2. Save the file and name it tnsnames.ora.
    3. Copy the file to the %ORACLE_HOME%\Network\Admin\ folder.

     

    Step 4: Create and customize the krb5.ini file

    1. Open a text editor and copy the following content into the editor:

      [libdefaults]

      forwardable = true

      default_realm = FQDN_user_domain

      default_tkt_enctypes = rc4-hmac

      default_tgs_enctypes = rc4-hmac

      [realms]

      FQDN_user_domain = {

      kdc = FQDN_domain_controller

      admin_server = FQDN_domain_controller

      }

      [domain_realm]

      .FQDN_user_domain = FQDN_user_domain

    2. FQDN_user_domain = FQDN_user_domain

      where:

      • FQDN_user_domain is the fully qualified domain name of the domain where users are authenticated, such as users.dev.example.lan
      • FQDN_domain_controller is the fully qualified domain name of a domain controller in the domain where users are authenticated, such as dc1.users.dev.example.lan
    3. Save file and name it krb5.ini.
    4. Copy the file to the C:\Windows\ folder. When you configure Tableau Server, you will also copy this file to the computer running Tableau Server.

     

    Configure Tableau Server

    This section describes how to configure Tableau Server. You must follow these steps on each computer that is running Tableau Server.

    Prerequisites

    Before you can configure Kerberos for Oracle on Tableau Server, you must perform the following tasks:

    Step 1: Specify the Run As User account for authentication

    1. On the Active Directory domain controller, start the Active Directory Users and Computers (ADUC) tool.
    2. In the left pane (Active Directory Domain Services), click Users.
    3. In the Users pane, right-click the name of the Run As User who will be doing the delegation and then click Properties .
    4. In the Properties dialog box, in the left pane, select Delegation.
    5. In the Delegation section, select Trust this user for delegation to specified services only.
    6. Select Use any authentication protocol.

    Step 2: Install Oracle Database Client on the Tableau Server computer

    1. Download the Oracle Database Client 12c Release 1 (winx64_12102_client.zip) from the Oracle Website.
    2. Extract the downloaded file and run Setup.exe.
    3. Select the following options:
      • On the Select Installation Type page, select Administrator.
      • On the Specify Oracle Home User page, select Use Windows Built-in Account.

    Step 3: Set system environmental variables

    Follow the procedure in the Tableau Knowledge Base to set the following variables :

    • Set the ORACLE_HOME variable to C:\app\user_name\product\12.1.0\client_1
    • Set the TNS_ADMIN variable to C:\app\user_name\product\12.1.0\client_1\Network\Admin

    Step 4: Install Oracle Database Patch on the Tableau Server computer

    Download the Oracle Database Patch version 12.1.0.2.10 (bundle patch 10, which corresponds to patch number 21821214) from the Oracle website. Follow the installation instructions in the Readme.html file that is included with the patch.

    Step 5: Copy client files to Tableau Server

    Find the following files that you created when configuring Tableau Desktop and copy them to Tableau Server:

    • Copy sqlnet.ora to the following path:C:\app\client\user_name\product\12.1.0\client_1\network\admin\sqlnet.ora
    • Copy krb5.ini to the following path:C:\Windows\krb5.ini

    Use Kerberos authentication

    1. On a Tableau Desktop computer, open the Oracle connector.
    2. In the Server field, enter the fully qualified host name of the Oracle server, such as oracle1.dev.example.lan.
    3. Select Integrated Authentication.
    4. Create a workbook with a view and publish it to Tableau Server. When you publish the workbook, configure authentication to use viewer credentials as described in Tableau Help.