6 Replies Latest reply on Aug 9, 2018 1:59 PM by Rafael Schaffer

    Trusted Ticket not working with Reverse Proxy. Standard Login (using AD) works

    Jonathan C

      I'm following the standard setup presented here: Configuring Proxies for Tableau Server  I've run all of the commands with their proper ips and hosts, etc. All of the HTTP headers are set because I can see the network communication over wireshark. But, when I attempt to authenticate via trusted ticket going through the reverse proxy Tableau returns a -1 and the viz-0 server log tells me that the host requesting the ticket is invalid. When I then, attempt to use the same machine (same trusted ip) and directly contact the Tableau server using a small c# webapp, I can get a ticket back. Is there an issue in Tableau of using the same ip as a trusted host for trusted ticket, and as a trusted host for a reverse proxy?

       

      Edit:

      Running Windows Server 2008R2 for IIS Reverse Proxy and Windows Server 2012 for Tableau Server.

      Tableau 10.4

       

      Message was edited by: Jonathan Cook

        • 1. Re: Trusted Ticket not working with Reverse Proxy. Standard Login (using AD) works
          Andrew Bickert

          Hi Jonathan,

           

          It sounds like the processing is breaking down in the POST request from the webserver to the trusted Tableau Server. Have you tried following the steps outlined in the Testing Trusted Authentication to see if the ticket is being retrieved successfully from the web server? The C# is throwing me for a loop though, unless you are connecting via TABADMIN or TABCMD you should be encountering the same issue unless you are passing authentication directly to the Tableau Server and bypassing the reverse Proxy. I know this isn't a C# forum and don't want to stray from the path too much but are you using an ASP.NET framework or passing in the Forms Library webBrowser1 object to connect.

           

          Andrew

          • 2. Re: Trusted Ticket not working with Reverse Proxy. Standard Login (using AD) works
            Jonathan C

            Hey Andrew,

            Thanks for your reply.

             

            My small c# app is following this example here: Trusted Authentication JavaScript Code Examples Required  (Eric McDonald replies with a c# example). In his example, I simply replaced "servername" with the internal name of the machine to make sure that standard auth was working (this works) without the reverse proxy (yes, im using my own usernames, etc). To test the reverse proxy, I put in the external, public FQDN, into the "servername" variable and I get -1 back every time. When I simply, load the reverse proxy address (it's public internet FQDN), in a browser, tableau comes right up and prompts me for my username and password and logs me right in. I'm fairly certain my c# app is working as intended. I'm a bit confused as to why Tableau is rejecting the trusted ticket via reverse proxy. Yet, regular authentication via reverse proxy works.

             

            Edit: I have also made sure to preserve the HOST HTTP Header via this command in IIS for application request routing: "C:\Windows\System32\inetsrv\appcmd.exe" set config -section:system.webServer/proxy /preserveHostHeader:"True" /commit:apphost I can see that the HOST is preserved by inspect the HTTP packet in wireshark

            • 3. Re: Trusted Ticket not working with Reverse Proxy. Standard Login (using AD) works
              Andrew Bickert

              Hi Jonathan,

               

              Thank you for linking to that C# code, in looking at it, it is passing the "/trusted" authentication through (as anticipated) to the server. I am wondering if when you put in your external FQDN on your reverse proxy it is not passing through the /trusted portion to your server. IE: Reverse Proxy passes the FQDN for https://<RP_servername> to tableau server and then authenticates on the server side but does not the pass through the variable /trusted  https://<RP_servername>/trusted for the FQDN. Also, it is defaulting to port 80, not sure if you configured your reverse proxy to handle all of your 443 requests but if so you would need to add your https:// into your (HttpWebRequest)WebRequest.Create statement.

               

              Andrew

              • 4. Re: Trusted Ticket not working with Reverse Proxy. Standard Login (using AD) works
                Jonathan C

                Hey Andrew,

                 

                I am receiving a -1 reply, so I am sure that /trusted is being passed in my POST request. I am also looking at the network traffic via wireshark, in real time, while I run the c# app. I also checked the logs and it tells me that I have an invalid host. This host has been set by command: "tabadmin set gateway.trusted " so it should not be invalid. This is why I'm guessing there may be some issue with having the same trusted host that is setup for reverse proxy and for trusted authentication. I'll double check my tabadmin commands and hosts tonight (after business hours) to make sure I haven't made a mistake there. As this is a test right now and we are running everything standard on port 80, http. Once we get port 80 working, then we'll move to SSL.

                 

                Please let me know if you have any other ideas. Thanks for your attention on this!

                • 5. Re: Trusted Ticket not working with Reverse Proxy. Standard Login (using AD) works
                  Andrew Bickert

                  Hi Jonathan,

                  I apologize I just noticed that this thread was not in the Server & Online Administration forum (Server Administration ). If you click the on the "Move" in the actions menu to the top right you can choose which forum to publish this question in. The Server Forum is more specific to your question and will garner better responses.

                   

                  Andrew

                  • 6. Re: Trusted Ticket not working with Reverse Proxy. Standard Login (using AD) works
                    Rafael Schaffer

                    Hi Jonathan,

                    Check the VizQL logs, there you can find the IP you must add as a trusted host.

                    The problem is: You're behind a reverse proxy, so you'll have to trust your proxy, thus the whole internet will be trusted and able to request a trusted ticket!