5 Replies Latest reply on Apr 20, 2017 11:51 AM by Toby Erkson

    Username pulls SAMAccountName with AD auth and Active Directory groups when over 20 chars



      our Tableau Server is set to use Active Directory. We have also enabled and selected the option "Synchronize Active Directory on a regular schedule". Users are imported on the server from Active Directory groups.

      I have noticed that the username that is being imported is the AD user attribute SAMAccountName for usernames over 20 characters. The server was initially installed with Tableau version 8.2.7 and is now on 10.0.3.


      We initially installed a test server with version 9.3.6 setup with AD authentication and synchronize AD groups. The username that is pulled on the test server is UPN prefix when username is over 20 chars in length and not the SAMAccountName.

      I found this article which has relevant information.

      User Management in Active Directory Deployments


      It says:

      "The user name that Tableau Sever will import into the identity store will be the sAMAccountName value unless one of the following is true:

      • If the user name that you specify is longer than 20 characters.
      • If the user name that you specify contains an @

      If the user name you enter meets either of the these conditions, then Tableau will import the UPN prefix of the userPrincipalName attribute, which will become the user's Tableau logon user name.

      If user names were inadvertently imported using UPN names, you can delete the accounts in Tableau Server and then reimport those accounts using the sAMAccountName value for the user name, as shown in User logon name (pre-Windows 2000) in the Windows Active Directory Users and Computers administrative console."

      So according to this, if the username is 21 characters, Tableau should import the UPN prefix. Our prod. server imports the sAMAccountName for the account that is 21 characters username. I removed the account and had it re-import - still importing sAMAccountName.


      We enabled SAML on our test server and want to do the same with production. I am concerned about the difference of AD attribute that is pulled for usernames on both servers.

      For example: SAMAccountName = lastnamelong_firstna  and CN = lastnamelong_firstname.

      Prod server imports lastnamelong_firstna  for username and test server imports lastnamelong_firstname. The domain settings are the same and i cannot find any other settings anywhere...


      Can anyone provide any information why this is happening and if there is any additional configuration stored somewhere else?

      Thank you very much.