1 Reply Latest reply on May 11, 2017 1:23 PM by diego.medrano

    Tableau Kerberos MSAS Config issue - can't find "MSAS Service account" when adding user for delegation

    SYED REHMAN

      Hi Experts, need help in above subject issue - our IT team has tired setting up the delegation account but failed due to following issue - please note that we had already run SETSPN Commands on test tableau server with svc_tableau service account.

       

      setspn -s HTTP/<ourmachinename> domainname\svc_tableau 

       

      however I don’t know exactly what SETSPN command we need to run – i-e SETSPN with our Test Tableau server like we did to setup SPN for tableau service account  or something else

       

      Following is copy from our IT Team implementing this config:

       

      Here is the problem. I have included screenshot by screenshot on how I came to this conclusion.

       

      Obviously if the Tableau Team has a recommendation, our team can definitely follow it.

       

      Here is exactly what I did last night and why it failed.

      Step 1: Specify the Run As User for delegation

      1. On the Active Directory domain controller, start the Active Directory Administrative Center.
      2. In the left pane (Active Directory Domain Services), click Users.
      3. In the Users pane, right-click the name of the Run As User “svc_tableau” and click Properties.
      4. In the Properties dialog box, in the left pane, select Delegation.
      5. In the Delegation section, select Trust this user for delegation to specified services only.
      6. Select Use any authentication protocol.

       

      No Problem Implementing:

       

      Step 2: Add MSAS service accounts for delegation

      1. To specify the services to be delegated, click Add.
      2. In the Add Services dialog box, click Add Users or Computers.
      3. In the text field, type the name of the MSAS service account (TELUS\svc_msas) and then click Check Names. The account should be found.
      4. Click OK.
      5. Select the two SPNs of type MSOLAPSvc.3 for the MSAS server and then click OK.
        1. HTTP/ourservername domain\svc_tableau

      The SPNs should now appear in the SPN list in the delegation section of the properties window for the user

      https://community.tableau.com/docs/DOC-10248

       


      on this step 

      1. In the Add Services dialog box, click Add Users or Computers.

       

      I press “CHECK NAMES” and nothing comes up

       

      *****NOW IF I SEARCH FOR ONLY svc_M I see some other accounts

       

       

      So what is the difference between the accounts I can see in the search and the svc_msas account?

       

      "There is no delegation tab" for svc_msas account.

       

      Any help that what we're missing that we don't see delegation tab for svc_msas account and can't find to add that???

      thanks