KNOWLEDGE BASE

Configuration Changes for Active Directory Identity Store (LDAP Microsoft Update)


Published: 18 Feb 2020
Last Modified Date: 10 Mar 2020

Issue

In March 2020, Microsoft is slated to release a security update for Active Directory domain controllers that will enforce LDAP channel binding and LDAP request signing.

If your deployment of Tableau Server uses Active Directory as the identity store, then configuration changes may be necessary for your identity store connectivity. See 2020 LDAP channel binding and LDAP signing requirement for Windows for more information.

Environment

All versions of Tableau Server on Windows or Linux

Resolution

When running Tableau Server on either Windows or Linux using an Active Directory identity store, please review and implement the following recommendations:  

If utilizing LDAP with Simple Bind authentication:

Then update to LDAPS. LDAPS is the default configuration for Tableau Server when hosted on Windows.
 

If utilizing LDAP or LDAPS with GSSAPI authentication:

  1. If utilizing LDAP, then update to LDAPS.
  2. In the domain controller registry, set LdapEnforceChannelBinding=1
    • Please note that setting the domain controller registry to LdapEnforceChannelBinding=0 is not recommended.
Tableau Server when hosted on Linux cannot support LdapEnforceChannelBinding=2.

Cause

This behavior is related to the March 2020 Microsoft security update.
Did this article resolve the issue?