Tableau Server on Linux Identity Store Config for Sub-Domains

Published: 07 Mar 2018
Last Modified Date: 12 Mar 2018


Identity Store Authentication set up using GSSAPI with Kerberos: The initial binding of the config file worked, and users that were in the parent domain (listed in "domains" on the config) were able to be imported into Tableau Server, owever, when users from a child-domain were added, the following error occurred:
 "Identity Store Configuration Error: Invalid credentials."



  • Tableau Server 10.5
  • Linux


Follow these steps:
  1. Use the below command to see which users can be found, and which ones cannot:    

    tsm user-identity-store verify-user-mappings -v <user name>

  2. Use tcpdump command in a separate window to monitor traffic and notice the parent and child domains accepting connections.
  3. Open the krb5.conf file specified in the Identity Store settings and add the sub domains to the "realms" and "domain_realms" section of the file.
  4. Verify user-mappings again for a member of a subdomain to test that you get a successful message afterwards.
  5. Log in to Tableau Server GUI.
  6. You should now be able to add users from all of the subdomains as well as new users. All users should be able to log on without incident.


Sub-domains weren't accessible until specifically added in the krb5.conf file.

Additional Information

When setting up the Identity Store config with GSSAPI and Kerberos, users from the parent domain can be found by using the
"tsm user-identity-store verify-user-mappings -v <user name>" command, but any users from a child-domain gets the following error:

"Identity Store Configuration Error: Invalid credentials".
Did this article resolve the issue?