Skip to main content
Skip table of contents

Integration between Tableau Server and CData Virtuality Server

This configuration enables the use of Tableau workbooks with embedded viewer credentials:

  • workgroup-auth-mode:kerberos-impersonate
  • workbook-authmode:auth-integrated

This connection requires Kerberos configuration in the following:

  • CData Virtuality Server
  • Tableau Desktop
  • Tableau Server

It also requires the CData Virtuality Connector for Tableau available for download here. Please note that the connector from the Tableau Extension Gallery can not be used.

Tableau Server Kerberos Authentication

  • For domain configuration/on the DC machine:
    1. Create a Tableau service/run-as account;

    2. Create SPNs and a keytab file for the Tableau service account:

      POWERSHELL 
      PS> setspn -s HTTP/DVTS01 KRBTEST\tabsvc01
PS> setspn -s HTTP/DVTS01.KRBTEST.DV KRBTEST\tabsvc01
PS> ktpass /princ HTTP/DVTS01.KRBTEST.DV@KRBTEST.DV /pass *** /ptype KRB5_NT_PRINCIPAL /crypto All /mapuser KRBTEST\tabsvc01 /out c:\datavirtuality\tabsvc01.keytab
PS> ktpass /princ HTTP/DVTS01@KRBTEST.DV /pass *** /ptype KRB5_NT_PRINCIPAL /crypto All /mapuser KRBTEST\tabsvc01 /in c:\datavirtuality\tabsvc01.keytab /out c:\datavirtuality\tabsvc01.keytab

  • For Tableau Server configuration/on the Tableau Server machine:

    1. Configure Tableau Server to use the Tableau service/run-as account:
    2. Configure Tableau to use Kerberos authentication and the keytab file:


Integration of Tableau Server Kerberos Authentication with CData Virtuality Server Kerberos Authentication

Pre-requisites

  • CData Virtuality Server is set up for Kerberos Authentication;
  • Tableau Server is set up for Kerberos Authentication;
  • CData Virtuality Connector for Tableau available for download here is installed on the participating Tableau Desktop installations and on Tableau Server.

1. On the Tableau Server machine, create or extend an existing C:/Windows/krb5.ini configuration file:

Example configuration krb5.ini file

CODE 
[libdefaults]
	forwardable = true
	default_realm = KRBTEST.DV

[realms]
	KRBTEST.DV = {
	kdc = DC01.KRBTEST.DV
	admin_server = DC01.KRBTEST.DV
	}

[domain_realm]
	.krbtest.dv = KRBTEST.DV
	krbtest.dv = KRBTEST.DV

2. On the Tableau Server machine, create the dvclient.conf configuration file as described here.

3. A part of the configuration is provided in the Tableau Server Java configuration file java.security located in C:\Program Files\Tableau\Tableau Server\...\bin\jre\conf\security. Adapt the file as described here (in the section java.security) to specify the location of the dvclient.conf configuration file.

4. Configure Kerberos delegation:

  1. On the Domain Controller machine in Active Directory Users and Computers:
    • Open properties for the Tableau service/run-as account. 
    • If an SPN is configured, there will be a tab Delegation.
    • In that tab, enable constrained delegation for any protocol to the CData Virtuality service account:

  2. On the Tableau Server machine, do the following:

    POWERSHELL 
    PS> tsm configuration set -k wgserver.delegation.enabled -v "true" --force-keys
PS> tsm pending-changes apply
  3. Enable the use of viewer credentials in Tableau reports published on Tableau Server.
  4. On the Tableau Server machine, enable the Kerberos Authentication with the following commands:

General syntax for enabling Kerberos integration with Tableau Server:

POWERSHELL 
PS> tsm configuration set -k native_api.datasource_impersonation_runas_principal -v "HTTP/<tableau server machine>"  --force-keys
PS> tsm configuration set -k native_api.datasource_impersonation_runas_keytab_path -v "path/to/keytab file"  --force-keys
PS> tsm configuration set -k native_api.jdbc_vm_options -v "-Xmx1024m -Xms64m -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.jgss.native=false -Djava.security.krb5.realm=<realm> -Djava.security.krb5.kdc=<kdc>"
PS> tsm pending-changes apply

Example for enabling Kerberos integration with Tableau Server:

POWERSHELL 
PS> tsm configuration set -k native_api.datasource_impersonation_runas_principal -v "HTTP/DVTS01"  --force-keys
PS> tsm configuration set -k native_api.datasource_impersonation_runas_keytab_path -v "c:/datavirtuality/tabsvc01.keytab"  --force-keys
PS> tsm configuration set -k native_api.jdbc_vm_options -v "-Xmx1024m -Xms64m -Djavax.security.auth.useSubjectCredsOnly=false -Dsun.security.jgss.native=false -Djava.security.krb5.realm=KRBTEST.DV -Djava.security.krb5.kdc=DVDC01.KRBTEST.DV"
PS> tsm pending-changes apply
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close