Enabling Kerberos Delegation for Denodo on Linux

Version 2

    Starting with Tableau Server 2019.1, Tableau Server supports Kerberos delegation with a Denodo data source.


    To use Kerberos authentication with a PostgreSQL data source, you need to do the following:

    • Configure Tableau Server for Kerberos Delegation. For more information see Configure Kerberos in the Tableau Help.
    • Enable Kerberos delegation in Active Directory (AD). For more information contact your domain administrator.
    • Configure environment variable PGKRBSRVNAME for Kerberos Delegation to Denodo. This is only required on Linux.


    Run the following commands on all nodes in the cluster.


    # Start a session as the unprivileged user. tableau is the default unprivileged user created by Tableau Server during installation.
    # You can specify your own unprivileged user as well.
    sudo su -l tableau
    sudo touch /var/opt/tableau/tableau_server/.config/systemd/tableau_server.conf.d/denodo.conf
    echo "PGKRBSRVNAME=HTTP" | sudo tee -a /var/opt/tableau/tableau_server/.config/systemd/tableau_server.conf.d/denodo.conf
    sudo chmod 744  /var/opt/tableau/tableau_server/.config/systemd/tableau_server.conf.d/denodo.conf
    # Restart all the control plane services
    systemctl --user restart tabadmincontroller_0
    systemctl --user restart tabsvc_0
    systemctl --user restart appzookeeper_0
    systemctl --user restart clientfileservice_0
    systemctl --user restart fnplicenseservice_0
    systemctl --user restart licenseservice_0
    systemctl --user restart tabadminagent_0


    Note: Tableau uses the Postgres driver to connect to Denodo.

    Using this environment variable to configure kerberos delegation for Denodo will prevent kerberos delegation to Postgres servers, since their kerberos service principal will usually start with "postgres" instead of "HTTP".

    This won't be an issue unless you are trying to perform kerberos delegation to both Postgres and Denodo, which is very unlikely.