Embedded Views Passing Through Guest Instead of AD Username
Published: 04 Jun 2015 Last Modified Date: 11 Aug 2020
Issue
Embedded views are not passing the user name through to Tableau Server. The views are showing the user as Guest. If testing with the same user clicking the link directly (remove url parameter embed=y), the correct username is displayed using Active Directory, with "Enable automatic logon" checked.
The above applies to shared links because 'embed=y' is part of the link, by default.
Environment
Tableau Server
Active Directory
Resolution
The behavior is expected behavior with Tableau Server. To force AD authentication you will need to make sure the guest user permissions are to deny viewing, which forces the fallback to the authentication system. This is recommended permissions setting on all project sites where you need to force active directory logons to deny viewing for guest users. In this way newly published workbooks inherit the guest deny access.
Cause
The guest feature was designed this way to facilitate the business case of wanting to share a view on a public website where users do not need to be authenticated or on a private website or page where authentication is handled by the site itself.
Additional Information
When using javascript or an iframe with url parameter embed=y to embed views, all authentication is bypassed and the requester is sent to the view as a guest if guest access is enabled. If the browser has a valid non-expired login cookie from previously authenticated session to the same server, the browser will include the cookie into the request for the web page, prompting Tableau Server to provide the authenticated view.