6 Replies Latest reply on Mar 23, 2017 6:15 AM by Sudhakara Allam Branched to a new discussion.

    Problem adding users across two-way domain trust

    Thom Gourley

      I have a freshly installed Tableau Server (distributed with no processes running on the primary), using Active Directory authentication.  I am able to authenticate and import groups and users from the local domain (i.e. where Tableau Server lives), but I am unable to import groups or add users from a remote domain that has a two-way trust with Tableau's domain.  I am using a domain account for the "run as" user, created specifically for this purpose.  If anyone has any suggestions on troubleshooting this, I would be most grateful.

       

      Here's a rundown of facts/tests that I have up to this point.  (I'll refer to Tableau's home domain as DA and the remote domain as DZ, to simplify.)

       

      1. DA\tabservice is the "run as" user, belonging only to the Domain Users group on DA.
      2. Server installed with DA\tabservice entered as the server account.  After installation and configuration of the worker machine, everything starts up fine.  Administrator account, DA\jimbob is entered.
      3. I log on as jimbob, import groups and add users from the DA domain, no problems.
      4. I log onto the domain controller for DA, DC1, as a Domain Administrator and create a group, Test_DA, and add two users:  DA\Gern from the local domain and DZ\Gertie from the DZ domain.  No problems, no errors.
      5. Likewise, I do the same on DZ's domain controller, create test group Test_DZ and add DA\Gern and DZ\Gertie to that group.  No problems, no errors.
      6. Then I logon to Tableau Server as DA\jimbob. From the Admin interface, I click Groups->Import.  At the import dialog, I attempt to import group DZ\Test_DZ.  The dialog returns an error:  "No such group DZ\Test_DZ in Active Directory".
      7. I then try to import group DA\Test_DA.  The import successfully adds DA\Gern, but gives an error on the user from DZ:  Could not import the following from Active Directory: <prints the SID here >,cn=foreignsecurityprincipals
      8. I also tried adding the individual users.  DA\Gern succeeds, DZ\Gertie fails.
      9. I have tried other combinations of the entire sequence with these variations:
        1. Add DA\tabservice to Domain Admins on DA, delete and re-create users and groups.  (Only as a test!  I would never do this in production so no security lectures, please.)
        2. Add DA\tabservice as an administrator on Tableau Server, login to Tableau as tabservice and attempt adds.

       

      All variations get the same results -- no problems adding users and groups from the DA domain, but no luck adding anything from the DZ domain.  We have also experimented with RDP for users to resources across these domains to assure that the trust works both ways, and it does.

       

      I believe that the variations pretty much rule out permissions issues.  I have also checked the security firewall logs between DA's and DZ's networks - nada.  I'm convinced that the two-way trust is working.

       

      Any suggestions for further troubleshooting this problem?  I'm running out of ideas!

       

      Thanks!

        • 1. Re: Problem adding users across two-way domain trust
          Thom Gourley

          Sorry, forgot to give the specs:

           

          Tableau Server 8.01 (on two Windows Server 2012 VMs)

          Windows Server 2012 with Active Directory

           

          Tableau primary runs only as a gateway with a separate worker running all other processes, 8 procs on 32 GB RAM.  We set it up this way to allow the option of converting to high-availability in the near future.

          • 2. Re: Problem adding users across two-way domain trust
            Toby Erkson

            I have no solution but I would recommend contacting support.  Once you get an answer please post it because, as can be seen here, others would benefit from it

            • 3. Re: Problem adding users across two-way domain trust
              Deepraj Kunnath

              Thom Gourley, have you tried using the fully qualified domain name / FQDN in place of the domain nickname?  Tableau Server mandates this for the first time you add a user from a "non-server domain," even if it's trusted.  See the resource below, particularly Step 5 under 'Adding Users':

               

              Adding Active Directory Domains | Tableau Software

               

              Substitute the domain nickname with the actual FQDN, and try again.  Please keep us posted.

              • 4. Re: Problem adding users across two-way domain trust
                Thom Gourley

                Yes, Deepraj, tried all the permutations I could think of to no avail, but I did eventually figure this out.  In our configuration, the worker machine is behind a firewall and can only communicate with the gateway.  For importing the remote users from the other domain, our worker machine was trying to communicate directly with the remote DC.  (We had been told by Tableau that all communication with the AD domain controllers would happen through the gateway, which is not the case.)

                 

                This 'feature' was unacceptable to us fore several reasons, so we have opted for the native Tableau Server authentication.  Not optimal, but probably more secure since we don't have to open even more holes through our firewall.  Ugh.

                 

                Thanks for your suggestions, everyone.

                • 5. Re: Problem adding users across two-way domain trust
                  leland.weathers

                  Our answer from Tableau support was that two-way trust was not supported and that forests were.

                   

                  We ended up writing custom code for this with the general steps being:

                  1. Read list of AD group/Tableau groups to synchronize from text file - we have multiple sites so the "config" file includes the sitename also
                  2. Query LDAP for AD group members, iterating through all sub-groups
                  3. Pull list of Tableau user
                  4. Pull list of Tableau group members
                  5. If AD group member (step 1) is not a Tableau user, write name to a file (prepend domain)
                  6. Call tabcmd to create users (we use createsiteusers)
                  7. If AD group member (step 1) is not a member of the Tableau group, write name to a file (prepend domain)
                  8. Call tabcmd to add users to group
                  9. If Tableau group memeber is not a member of the AD group anymore write name to a file (prepend domain)
                  10. Call tabcmd to remove users

                   

                  We then run the code from a scheduled task to regularly synchronize the AD/Tableau groups.

                   

                  In the code, didn't want to parse XML, so used SQL queries against the embedded db to pull the Tableau users:

                   

                  Group member query:

                  SELECT su.name as name

                  FROM groups as g

                  LEFT OUTER JOIN group_users as gu on g.id = gu.group_id

                  LEFT OUTER JOIN users as u on u.id = gu.user_id

                  LEFT OUTER JOIN system_users as su on su.id = u.system_user_id

                  LEFT OUTER JOIN sites as s on s.id = g.site_id

                  WHERE g.name = <groupname> AND s.name = <sitename>

                   

                  For step 3 (pulling Site users) modify the above query to at least remove the groupname portion of where clause.

                  • 6. Re: Problem adding users across two-way domain trust
                    Sudhakara Allam

                    Hi Leland,

                    Would it be possible to share your implementation specifics of this customization that you have done? We might have some use for this customization in our work area so that we can authenticate across multiple domains. If you could give detailed step wise implementation with some documentation that would help a lot.

                     

                    Regards,

                    Sudhakar