Resolution
Verify to ensure the HTTP POST and GET requests used by the web application or client includes all values required by Tableau Server to successfully redeem a trusted ticket, such as Username=<username>, target_site=<site id> and client_ip=<ip address> (optional).
Option 1 : Error Creating Ticket followed by Attempt to Redeem Bad Ticket (likely -1)
Check to ensure that a valid ticket number is being generated and redeemed. If a ticket of -1 is being generated, refer to https://onlinehelp.tableau.com/current/server/en-us/trusted_auth_trouble_1return.htm for next steps.
Option 2 : Duplicate Calls for the Same Ticket Number:
To determine if proxies are sending multiple requests for the same ticket, check the HTTPD folder of the Tableau Server logs. For more information, see Log File Locations.
You should only see one request for this ticket, where "/trusted/" is followed by a 9-255 (default is 24) character alphanumeric string. If you see this information more than once, a proxy is requesting the URL with the ticket multiple times, such as in the first and third lines in the following example:
1.23.45.567 - - 2016-08-09 15:52:54.348 Pacific Daylight Time 80 "GET /trusted/bTf1vpt-xdncVZw4B5nmi1Np/views/viewname/dashboardname?:embed=y&:host_url=http://12.34.56.789/&:tabs=no&:toolbar=no&:loadOrderID=0 HTTP/1.1" "1.23.45.678" 321 - "-" 31200 UctMZgq1CGoAABrYHjwAAAAM
123.45.67.891 - - 2016-08-09 15:52:56.578 Pacific Daylight Time 80 "GET /trusted/4wphmumvWTkVw5Rl1UrSqxqv/views/viewname/dashboard name?:embed=y&:host_url=http://12.34.56.789/&:tabs=no&:toolbar=no&:loadOrderID=0 HTTP/1.1" "123.45.67.123" 432 1234 "-" 0 UctMmQq1CGoAABrYHkEAAAB0
123.45.678.91 - - 2016-08-09 15:52:58.213 Pacific Daylight Time 80 "GET /trusted/bTf1vpt-xdncVZw4B5nmi1Np/views/viewname/dashboardname?:embed=y&:host_url=http://12.34.56.789/&:tabs=no&:toolbar=no&:loadOrderID=0 HTTP/1.1" "123.45.67.123" 432 1234 "-" 15600 UctMxwq1CGoAABrYHkIAAAB0
To resolve this issue, use the following steps.
Note: Making the following changes will cause Tableau Server to reject GETs coming from unintended clients, such as proxies and other security scanners, so that only the specified client browser can redeem the ticket.
- Enable client IP security to make sure the specified browser has a chance to redeem the trusted ticket before the proxy redeems the ticket. For more information, see Optional: Configure Client IP Matching topic in the Tableau Server Administrator Guide.
- Ensure that the IP address of the client browser is included in the original POST request to Tableau Server. For more information about POST requests, see the Get a Ticket from Tableau Server section of the Product Help guide.
Option 3 : No Duplicate Calls for Ticket and URL is Truncated:
If the embedded view is being initialized incorrectly, the URL will not pass through the GET call. After the trusted ticket, there should be a URL that includes the view name but it is missing from the log entry below:
123.45.678.91- - 2016-08-09 15:52:58.213 Pacific Daylight Time 443 "GET /trusted/w5DCZZDNtI8K42kzg7OyAM3p/ HTTP/1.1" "-" 403 1774 "-" 15649 V6pCqgoIAEQAADoYq48AAAIy
To resolve this issue, verify that the URL used to embed the view should not include the # sign. See Display the View with the Ticket for more information. The # sign will not pass the full URL causing an error redeeming the ticket.
- Incorrectly constructed Trusted Ticket URL: http://myserver/trusted/<ticket>/#/views/<workbook>/<view>
- Correctly constructed Trusted Ticket URL: http://myserver/trusted/<ticket>/t/<site>/views/<workbook>/<view>
- Correctly constructed Trusted Ticket URL: http://myserver/trusted/<ticket>/views/<workbook>/<view>
Note: if Tableau Server is running multiple sites and the view is on a site other than the Default site, you need to add
t/<site_name>
to the path. See
What is a site? for more information.