KNOWLEDGE BASE

Unable to Generate Kerberos Script Configuration for Tableau Server


Published: 13 Jun 2017
Last Modified Date: 13 Jun 2017

Issue

When Tableau Server is configured for Kerberos, and the Kerberos configuration script is generated incorrectly, the following error might occur on the login page:
Tableau Server could not authenticate you automatically.
Sign in using your Tableau Server credentials.

Users might not sign in automatically and sometimes the following errors might be seen in the httpd error.log:
gss_acquire_cred() failed: Unspecified GSS failure.  Minor code may provide more information (, No key table entry found matching HTTP/servername.domain.com@) referer: http://<tableau server url>/
gss_accept_sec_context() failed: Unspecified GSS failure. Minor code may provide more information (, Wrong principal in request), referer: http://<tableau server url>/

Environment

Tableau Server

Resolution

Option 1

If you work in an enterprise environment where the RC-4 cipher has been disabled, adding "/crypto All" or “/cypto <encryption to use>” to the ktpass command will resolve this issue.  For more information on the /crypto flag, see Ktpass in Microsoft Technet.

Option 2

  1. If the URL used to access Tableau Server is a DNS Alias, the ktpass command must use the DNS A record instead.
  2. If the Tableau Server machine has multiple DNS A records, the keytab generated must contain an entry for both DNS A records, using /in /out option of ktpass. For more information on the /in /out flags, see Ktpass in Microsoft Technet.

Option 3

Add the Tableau Server URL to the Intranet Zone in the Internet Option to make sure a Kerberos ticket is passed to Tableau Server. For more information, see Browser Support for Kerberos SSO.

Cause

This behavior may be caused by one of the following reasons: 
  • An encryption type other than RC4-HMAC has been specified for the keytab encryption when running ktpass.
  • The SPN of the Kerberos ticket does not match what is in the keytab.
  • No Kerberos ticket is sent to Tableau Server.
  • Keytab has been created using the wrong password.
  • Tableau Server URL is not trusted to be provided with Kerberos ticket.

Additional Information

  • Ensure the Domain Name System (DNS) is able to resolve the FQDN (fully qualified domain name) and IP of the Tableau Server machine (forward and reverse nslookup).
  • Ensure the password used for creating the keytab file is the password for the Tableau Server Run As User account.
  • In the Ktpass command, the password cannot be passed using the * option. For more information on the /pass flags, see Ktpass in Microsoft Technet.
  • The Tableau Server Run As User account cannot contain spaces.
  • In order to troubleshoot the issue, Tableau Server must not be running HTTPS, and Wireshark can be used to capture traffic between the Client and the Domain Controller and between Tableau Server and the client.
Did this article resolve the issue?