14 Replies Latest reply on Oct 23, 2013 11:44 PM by Prakash Turkar

    Could not locate unexpired trusted ticket

    Ivan Maffioli

      I have a Tableau server 7.x

      The users access to some views from a web site using trusted authentication.

       

      If I try to use the same web page from a particular location the authentication with tableau server fails and the server returns this error: Could not locate unexpired trusted ticket <ticket number>.

      Is this a firewall problem? If yes, what kind of traffic/port have I to open?

       

      The system administrator told me that the traffic http and https on port 80 and 443 are open.

      Any ideas?

       

      Thank you

       

      Ivan

        • 1. Re: Could not locate unexpired trusted ticket
          Russell Christopher

          Hey Ivan -


          This message normally means one of two things:

           

          • The ticket number that was passed in was never generated by Tableau in the first place
          • This particular ticket has already been redeemed, and therefore cannot be used again

           

          Often, Tableau sites can cause additional confusion - If you generated a ticket for "Site B" in Tableau, and then it is presented to "Site A", the same message will be thrown.

           

          The fact that this problem only occurs from ONE location is very interesting, You've double-checked from different machines, I assume? From what machine does Trusted Tickets actually work?

          • 2. Re: Could not locate unexpired trusted ticket
            Roy Dar

            Hi Ivan,

             

            I had this problem when I started using the secure tickets.

            In my case the error happened because I parsed the result ticket as a NUMBER but Tableau sometimes generate a number with trailing zeros in the number (for example 001 should not be considered as 1 otherwise the authentication will fail).

            Try to see if your code tries to work with the ticket as a number, and if so change it to STR and you should be fine.

             

            -Roy

            • 3. Re: Could not locate unexpired trusted ticket
              Alan Ho

              i can confirm this is a solution. i remember this issue was fixed (not generating ticket number with leading zeros) fews version ago, somehow this is being re-introduced as in the lastest version (7.0.9)

              • 4. Re: Could not locate unexpired trusted ticket
                Johan De Groot

                I got the same error-message - and found the answer to my problem.

                 

                If you select the wrong site with the URL (e.g. default instead of a specific one) you also will get a ticket from Tableau Server, but the view won't show.

                Is it possible you have got a similar problem?

                 

                /Johan

                • 5. Re: Could not locate unexpired trusted ticket
                  Roy Dar

                  Well, if you select a "wrong site" does it mean a URL which does not have Tableau installed on it at all?

                  That will mean you will not get the response from any Tableau server.

                  If you are using the example code then the problem is that it does not validate that the response is actually a ticket.

                  It only validate that the response is not "-1" but the response can also be an HTML from a proxy server saying the resource is unavailable.

                  I changed a little bit the code so it will parse the response and validate it is a number.

                  After this you will have to use the unparsed (original) value because of the trailing zeros issue.

                  Also make sure that you always use the same "site" for the generation of the ticket, and for the forward response to the client, so there will never be a mix-up if you use multiple Tableau servers.

                  • 6. Re: Could not locate unexpired trusted ticket
                    Tim Flanders

                    We are also having this exact issue.

                    Happens only for specific client machines.

                    This only happens when the client is connected to their company VPN.

                     

                    Some specs:

                    Using Server 7.0.8.

                    Our Java code that generates the ticket is not using numbers, always treating the ticket as a String.

                    We only have one Tableau Server and one site on that server.

                     

                    Any help would be greatly appreciated.

                    Thanks.

                    Tim

                    • 7. Re: Could not locate unexpired trusted ticket
                      Ivan Maffioli

                      Hi Tim,

                      the following conditions should be met for Trusted Authentication to operate correctly:

                       

                      1. The ticket being utilised for access is less than 180 seconds old and only being utilised for a single session and only for access to the view which it was originally requested for.

                       

                      2. The IP of the workstation calling the URL is whitelisted if using: wgserver.extended_trusted_ip_checking true

                       

                      3. If a proxy, web filter, or other network optimization solution that changes the apparent IP address of the trusted host making the request for the trusted ticket, the request will fail.

                       

                      My problem was of type 3, a proxy changes the workstation ip. I solved the problem trusting the tableau server domain in the proxy configuration.

                       

                      Ivan

                      • 8. Re: Could not locate unexpired trusted ticket
                        Tim Flanders

                        This problem only happens when the clients are on their VPN.

                        Do you have any idea if this would be the same as your #3?

                        • 9. Re: Could not locate unexpired trusted ticket
                          Russell Christopher

                          Tim -

                           

                          It could be. The easiest way to know for sure is to look for the incoming IP address as "we" see it and compare it "real" IP address of the trusted source.

                           

                          You can find this information in the apache logs, generally stored in :

                           

                          C:\Programdata\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.<datetimestamp>.log

                          or....

                          <Other Than C>:\Program Files (x86)\Tableau\Tableau Server\data\tabsvc\logs\httpd\access.<datetimestamp>.log

                           

                          If you open up the newest log and review the text, you'll see the IP address of each incoming request.

                           

                          Also, fee free to open up a case with support - they may be able to shortcut this process for you significantly!

                          • 10. Re: Could not locate unexpired trusted ticket
                            Tim Flanders

                            ok... 2 things...

                            1)

                            it turns out that the issue is not a VPN issue.

                            Just had a chance to go through things a bit with the customer.

                            The user is going through a Proxy Server. So this is the same as what Ivan reported.

                             

                            So, how do i " trusting the tableau server domain in the proxy configuration."?

                            Is that a Proxy Server issue or is that a setting on every client that goes through the proxy server?

                             

                            2) I do not seem to have anything in my Tableau httpd access logs.

                            The httpd.conf has the following section:

                             

                            <IfModule log_config_module>

                                LogFormat "%h %l %u %t %p \"%r\" %>s %b \"%{Content-Length}i\" \"%{Referer}i\" \"%{X-Forwarded-For}i\" \"%{User-Agent}i\" " combined

                                LogFormat "%h %l %u %t %p \"%r\" \"%{X-Forwarded-For}i\" %>s %b \"%{Content-Length}i\" %D %{UNIQUE_ID}e" common

                             

                             

                                <IfModule log_rotate_module>

                                  RotateLogs On

                                  RotateLogsLocalTime On

                                  RotateInterval 86400

                             

                                    CustomLog "F:/Program Files (x86)/Tableau/Tableau Server/data/tabsvc/logs/httpd/access.%Y_%m_%d_%H_%M_%S.log" common

                                      </IfModule>

                                ErrorLog "F:/Program Files (x86)/Tableau/Tableau Server/data/tabsvc/logs/httpd/error.log"

                            </IfModule>

                             

                            Both log_config_module and log_rotate_module are enabled yet both access and error logs are 0 bytes.

                             

                            Thanks,

                            Tim

                            • 11. Re: Could not locate unexpired trusted ticket
                              Russell Christopher

                              Hey again!

                               

                              You really should talk to support at this point - they're going to have more experience with dealing with these sorts of scenarios

                              • 12. Re: Could not locate unexpired trusted ticket
                                Tim Flanders

                                Ivan, can you be more specific as to how you solved the proxy issue? I am having the same problem.

                                For example, lets say the url is http://hello.world.com:8000

                                 

                                Do you add hello.world.com:8000 to some proxy setting? Just hello.world.com? Just world.com?

                                Do you do this on the Proxy server or on the individual clients?

                                 

                                Thanks,

                                Tim

                                • 13. Re: Could not locate unexpired trusted ticket
                                  Ivan Maffioli

                                  Hi Tim,

                                  I had this problem with a my client, a bank.

                                  They have a network configuration that use a couple proxy server and other security mechanisms to access to internet or external servers.

                                  The proxy servers cache some pages, filter some contents and reroute incoming ip traffic to each other to make a sort of load balancing.

                                  I'm not a system administrator so i'm not sure what exactly was done but they configured a "trust" to my domain:

                                  sdgitaly.it (only the domain name, no www no ports) so all the traffic from and to this domain passes without rerouting, filtering and caching.

                                  They worked on servers not on individual clients.

                                   

                                  I hope this helps.

                                   

                                  Ivan

                                  • 14. Re: Could not locate unexpired trusted ticket
                                    Prakash Turkar

                                    Hi All,

                                     

                                    I have gone though all above discussion.

                                    In my case , I have recently upgraded Tableau Server from 7.0 to 7.0.15.

                                    Basically, this problem have been seen in the versions prior to 7.0.15.

                                     

                                    What I have found mght be as a solutions is :

                                    1. Initially , I have configured Tableau Server 7.0.15 to be accessed on a default port which is 80.

                                    In this case, I got the following error:

                                     

                                    Could not locate unexpired trusted ticket <ticket number> for most of the Tableau  reports.

                                     

                                    2. Next (as a solution), I have changed the Tableau Server default port from 80 to some other port (say 8086)

                                    In this case, I never get the the exception again.

                                     

                                    Also, I am accessing the Tableau Server through JBOSS application.

                                     

                                    Thank You,

                                    Prakash