I have a freshly installed Tableau Server (distributed with no processes running on the primary), using Active Directory authentication. I am able to authenticate and import groups and users from the local domain (i.e. where Tableau Server lives), but I am unable to import groups or add users from a remote domain that has a two-way trust with Tableau's domain. I am using a domain account for the "run as" user, created specifically for this purpose. If anyone has any suggestions on troubleshooting this, I would be most grateful.
Here's a rundown of facts/tests that I have up to this point. (I'll refer to Tableau's home domain as DA and the remote domain as DZ, to simplify.)
- DA\tabservice is the "run as" user, belonging only to the Domain Users group on DA.
- Server installed with DA\tabservice entered as the server account. After installation and configuration of the worker machine, everything starts up fine. Administrator account, DA\jimbob is entered.
- I log on as jimbob, import groups and add users from the DA domain, no problems.
- I log onto the domain controller for DA, DC1, as a Domain Administrator and create a group, Test_DA, and add two users: DA\Gern from the local domain and DZ\Gertie from the DZ domain. No problems, no errors.
- Likewise, I do the same on DZ's domain controller, create test group Test_DZ and add DA\Gern and DZ\Gertie to that group. No problems, no errors.
- Then I logon to Tableau Server as DA\jimbob. From the Admin interface, I click Groups->Import. At the import dialog, I attempt to import group DZ\Test_DZ. The dialog returns an error: "No such group DZ\Test_DZ in Active Directory".
- I then try to import group DA\Test_DA. The import successfully adds DA\Gern, but gives an error on the user from DZ: Could not import the following from Active Directory: <prints the SID here >,cn=foreignsecurityprincipals
- I also tried adding the individual users. DA\Gern succeeds, DZ\Gertie fails.
- I have tried other combinations of the entire sequence with these variations:
- Add DA\tabservice to Domain Admins on DA, delete and re-create users and groups. (Only as a test! I would never do this in production so no security lectures, please.)
- Add DA\tabservice as an administrator on Tableau Server, login to Tableau as tabservice and attempt adds.
All variations get the same results -- no problems adding users and groups from the DA domain, but no luck adding anything from the DZ domain. We have also experimented with RDP for users to resources across these domains to assure that the trust works both ways, and it does.
I believe that the variations pretty much rule out permissions issues. I have also checked the security firewall logs between DA's and DZ's networks - nada. I'm convinced that the two-way trust is working.
Any suggestions for further troubleshooting this problem? I'm running out of ideas!