KNOWLEDGE BASE

Errors "Sign In failed" and "HTTP 400" Using Kerberos Authentication


Published: 19 Nov 2014
Last Modified Date: 05 Apr 2018

Issue

When you try to sign in to Tableau Server that is configured for Kerberos authentication, the following error might occur:
"Tableau Server could not authenticate you automatically. Sign in using your Tableau Server credentials."

The following error might also occur in a network trace or browser console:
Bad Request (HTTP 400)

Your browser sent a request that this server could not understand.
Size of a request header field exceeds server limit.

Authorization

Environment

  • Tableau Server
  • Kerberos authentication

Resolution

Perform the following steps on the Primary: (Note, the value may need to be increased more if the 400 response persists)

  1. Open a command prompt as an administrator and navigate to the Tableau Server bin folder, for example:
    cd c:\Program Files\Tableau\Tableau Server\<version>\bin
  2. Run the following commands:
    • tabadmin set gateway.http.request_size_limit 32768
    • tabadmin set tomcat.http.maxrequestsize 32768
    • tabadmin config
  3. Restart Tableau Server for the changes to take effect:
    • tabadmin restart

Cause

The Authorization field that contains the Kerberos ticket is making the HTTP header larger than the default maximum size for the Apache gateway and Tomcat application server. This usually occurs when a user belongs to a large number of Active Directory groups.

Additional Information

Additonally, you will notice that the access logs will show two GET requests for kerberosLogin with a 400 response. For example: 
<ip address> - - <date and time> 443 "GET /vizportal/api/web/v1/auth/kerberosLogin HTTP/1.1" "-" 401 65 "-" 1007 Wqqa6rgY0XDbiw70Ie0HzQAAAyQ
<ip address> - - 2<date and time> 443 "GET /vizportal/api/web/v1/auth/kerberosLogin HTTP/1.1" "-" 400 278 "-" 0 - 

However, the logs should show:
<ip address> - - <date and time> 443 "GET /vizportal/api/web/v1/auth/kerberosLogin HTTP/1.1" "-" 401 65 "-" 1007 Wqqa6rgY0XDbiw70Ie0HzQAAAyQ
<ip address> - kerb-admin@KERB.DEV.TSI.LAN <date and time> 80 "GET /vizportal/api/web/v1/auth/kerberosLogin HTTP/1.1" "-" 200 531 "-" 106985 Va5YZAoglhsAACYE0t8AAAJU
Did this article resolve the issue?