6 Replies Latest reply on Mar 14, 2018 10:55 AM by Matt Coles

    Trusted Ticket - Vizql Logs - Could not return an InetAddress

    Jonathan C

      Hi,

       

      After running command: "tabadmin set vizqlserver.log.level debug" to debug an issue. I'm consistently getting "com.tableausoftware.core.util.RemoteIP - InetAddress.getByName(xxx:yyy) could not return an InetAddress" when attempting to retrieve a trusted ticket from an ip in my "wgserver.trusted_hosts" field. It appears as if this error is then causing "A request for a trusted ticket seems to be coming from this invalid IP Address: xxx:yyy"

       

      Any ideas on what would be causing this?

        • 1. Re: Trusted Ticket - Vizql Logs - Could not return an InetAddress
          Matt Coles

          Could it be that you entered the IPv6 address? Per Add Trusted IP Addresses or Host Names to Tableau Server , you must use IPv4:

           

          Next, type the following command:

          tabadmin set wgserver.trusted_hosts "<trusted IP addresses or host names>" 

          In the command above, <trusted IP addresses> should be a comma-separated list of the IPv4 addresses or host names of your web server(s).

          • 2. Re: Trusted Ticket - Vizql Logs - Could not return an InetAddress
            Jonathan C

            Hey Matt,

             

            Thx for your reply. Definitely using ipv4 addresses.

            • 3. Re: Trusted Ticket - Vizql Logs - Could not return an InetAddress
              Jonathan C

              Found the issue. If you are using IIS as a reverse proxy, you have to disable "Include TCP Port from client" in the  X-Forward-For HTTP Header. This setting is in the machine level AAR settings in IIS. Application Request Routing Cache -> Proxy, click "Server Proxy Settings" -> Preserve client IP in the following header. Uncheck the box that says "Include TCP port from client IP"

               

              Tableau then runs "com.tableausoftware.core.util.RemoteIP - InetAddress.getByName(xxxx) on the forwarded address in this field from the proxy. Previously, that address contained the client port. With the client port InetAddress.getByName(xxxx) throws an error which makes it look like you don't have the proper ip set in "wgserver.trusted_hosts" when you do.

               

              I'm able to get a trusted ticket through my proxy now.

              • 4. Re: Trusted Ticket - Vizql Logs - Could not return an InetAddress
                Matt Coles

                Great detail, thank you for following up! I did want to ask, though--if you've "trusted" the IP from your reverse proxy, it means that all requests from any client IP can request and generate a ticket. Have you secured the proxy such that it validates that the client IP requesting the ticket is from the host that you are running your custom app on?

                • 5. Re: Trusted Ticket - Vizql Logs - Could not return an InetAddress
                  Jonathan C

                  Well, I'm a C#/SQL Server developer, and I've ventured into "DevOps/System Admin" land with the setup of this reverse proxy along with all the other tabadmin configuration. We already have authentication/authorization in place in the C# web app, but I think I'll ask our network guys what they recommend for further security. Maybe they would restrict a /trusted call only to the web servers I defined in wgserver.trusted_hosts. I'm sure they'll come up with something clever. But, I'm always up for any ideas to forward along, so don't hesitate to share.

                  • 6. Re: Trusted Ticket - Vizql Logs - Could not return an InetAddress
                    Matt Coles

                    Well, it's not a networking thing, it's a "Tableau Server trusted auth" thing. If the request comes from the IP that it trusts, Tableau Server gives it whatever access it asks for. You want a ticket for the CFO, then redeem it to look at a financial reporting dashboard? It grants it. The only validation Tableau Server does before giving it the keys to the kingdom is to check that IP address. So if any of your users are able to connect to Tableau Server through your proxy, and avoid going through your app, then they can conceivably request their own tickets--and they'll be granted them. That's a situation that you do not want. You want to force everyone to authenticate with your C# app, and you only want to trust requests from that app. Since you're trusting all requests sent through your proxy, you either need to prevent any any all access to Tableau Server except through your C# app, or you need your proxy to block requests for trusted tickets that are being sent from non-authorized clients. In our environment, we accomplish this by an iRule on our F5 BIG-IP that looks for "trusted" in the request URI, then returning a 403 if the IP doesn't match a whitelist of hosts that we trust.