Configuration Changes for Active Directory Identity Store (LDAP Microsoft Update)
Published: 18 Feb 2020
Last Modified Date: 10 Mar 2020
IssueIn March 2020, Microsoft is slated to release a security update for Active Directory domain controllers that will enforce LDAP channel binding and LDAP request signing.
If your deployment of Tableau Server uses Active Directory as the identity store, then configuration changes may be necessary for your identity store connectivity. See 2020 LDAP channel binding and LDAP signing requirement for Windows for more information.
EnvironmentAll versions of Tableau Server on Windows or Linux
ResolutionWhen running Tableau Server on either Windows or Linux using an Active Directory identity store, please review and implement the following recommendations:
If utilizing LDAP with Simple Bind authentication:
Then update to LDAPS. LDAPS is the default configuration for Tableau Server when hosted on Windows.
If utilizing LDAP or LDAPS with GSSAPI authentication:
Tableau Server when hosted on Linux cannot support LdapEnforceChannelBinding=2.
- If utilizing LDAP, then update to LDAPS.
- In the domain controller registry, set LdapEnforceChannelBinding=1
- Please note that setting the domain controller registry to LdapEnforceChannelBinding=0 is not recommended.
CauseThis behavior is related to the March 2020 Microsoft security update.