I think it's supported.
The "positive response" means that you are getting valid tokens, not "-1"?
Does the username that you're requesting include both domain and username, e.g. "domain\user" or "user@domain"? (Or do you have domain.fqdn, which is also used for wgserver.domain.deafult, set in your tabsvc.yml?)
Sending your server ziplogs to support would allow us to say why the 500 error is happening.
I'll work on getting the logs.
It looks like we do have a bit of a mixed bag - when logging into the server interface directly, it requires DOMAIN\user. However, in order to get the positive response (not "-1") on the trusted authentication request we send just the username - sending DOMAIN\user (with any manner of \ character, be it URI encoded, escaped, or plain) returns -1.
I will also check the wgserver.domain.default value and report that as well.
Looks like most of our issue is a result of having mixed domains - users belonging to the same default AD domain as the server can redeem the token, but any others encounter the error described above.
However, an issue still remains - even though same-domain users can redeem the token without error, it then redirects to the authentication page. So it's still broken, but thankfully a different kind of broken.
Paul, you have engaged with Tableau Support on this, I hope?
yep, Support has been working with Paul and we are investigating.