Hi Balakumar, on your request for a trusted ticket, someone (the proxy?) is sending you an HTML page, presumably with an error message. That HTML is then being passed to Tableau as a trusted ticket, which obviously isn't going to work. This doesn't look like a Tableau configuration problem, it looks like a network configuration problem.
Try grabbing all the text from the trusted ticket request, saving it to a file, and then opening that in a browser, in order to see the message.
The whole text on this response is given in text I marked in red in my first post. It's just post as back my application login url with no other information. Could you please guide me where to look for the cause of this 403 error in tableau logs.
Only httpd/ access log has this information, There are no other info why the access was denied and the reason for it.
Thanks for your help!
Where's the program that requests the trusted ticket? When it requests the trusted ticket, it should log the response.
Can you provide some more details about your application and network request flow? You might want to start with the diagram in the online help (http://onlinehelp.tableau.com/current/server/en-us/help.htm#trusted_auth_how.htm%3FTocPath%3DAdministrator%2520Guide|Tru… ) and explain the difference between this diagram and your setup.
This is request and response for trusted ticket:
GET : https://<TABLEAU_HOST_PROXY_NAME>/trusted?username='Administrator'&client_ip='<CLIENT_MACHINE_IP>' HTTP/1.1
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
HTTP/1.1 200 OK
Date: Sat, 28 May 2016 02:52:19 GMT
Server: Apache/2.4.7 (Unix) OpenSSL/1.0.1h
Set-Cookie: Calling_URL=https://<TABLEAU_HOST_PROXY_NAME>/trusted; domain=.itginc.com; path=/; secure
Keep-Alive: timeout=15, max=100
<meta HTTP-EQUIV="Refresh" CONTENT="0;URL=https://<MY_WEB_APPLICATION_LOGIN_URL>">
Please let me know if you need more info.
The trusted ticket request should be a POST, not a GET.
I will try this out and get back to you.
Hi Balakumar, one more thing: it looks like you're requesting a trusted ticket from a browser. This is not secure. As shown in the architectural diagram in the online help, the best approach is a web server in between the browser and Tableau Server.
I posted a sample request with my application request headers in a fiddler. Actual request happens from my Prod servers, as of now I am not able to get the request log from that box.
I need to redeploy the code changes again to test with POST request, unfortunately which can happen only by Tuesday.
But if I bypass the proxy and hit Tableau server with my local development application, even the GET request works. I think the proxy trims off the request params in GET request as a result the tableau responds with 403 error. Please let me know if this makes sense.
Good to know that you're only using the browser for testing.
Not sure why the proxy would trim the GET request; if it did that, you'd have all sorts of other problems.
The issue is not the 403 error code -- that's *expected*, because you're sending Tableau an html message instead of a ticket. It's not clear that your ticket request is even going to Tableau Server. The Tableau access log should show two entries, one for the ticket request and one for the ticket redemption. The log entry you posted is the second one -- are you also seeing the first one? If not, then the request isn't making it to Tableau.
You are right.
The first request is not reaching tableau server at all. Should I talk to my firm Web Admin folks related to that missing first request? I will ask them to verify if proxy is blocking it out?
If you're sending both requests to the same address, and one is reaching Tableau and the other is not, then it would make sense to ask the network folks for help.
Thanks for your help and guidance! I will talk to N/W folks on this issue.
I am able to solve the trusted authentication ticket issue. Now I am getting tableau ticket in my web server.
But the issue I am facing now:
Ticket client IP: <CLIENT_IP_ADDR>, does not match with requester IP: <PROXY_SERVER_IP_ADDR>
not sure, why the tableau ticket cannot be redeemed in client browser, but it tells me requester IP is PROXY server?
Am I missing any configuration here?
Please help me.
Hi Balakumar, you can either turn off client ip address matching (wgserver.extended_trusted_ip_checking) or you can configure your proxy to forward the client ip address via the X-FORWARDED-PROTO header (Trusted Authentication with Proxy Server ).