Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Setup a technical user for the extension to enable Kerberos authentication; (reference here, C.2)
    1. Create a New user like in step 2
    2. Configure a user with the following information (Example: root domain name → : NetBIOS → mycompany)
      1. First Name: tableauextension (These names are just as an example)
      2. sAMAccountName: tableauextension
      3. Setup a password
      4. On the right in Password Options choose: other password options and then password never expires.
    3. Head to the terminal to set this user as an SPN (Service Principal Name): (Format is: setspn -A [principal] [sAMAccountName])

      Code Block
      setspn -A HTTP/ tableauextension

      Service Principal Name(SPN) needs to be setup with HTTP and a server name where tomcat servlet container is run. This is used with tomcat domain user and its keytab is then used as a service credential.

    4. Create a keytab for the user, make sure you then copy it to a place where you have access to. Use the following command:

      1. In /mapuser you should specify the Active Directory user.
      2. In /princ you should write the SPN you chose in c.
      3. Int /pass is the password defined in the AD for the user.

      Code Block
      ktpass /out C:\extension.keytab /princ HTTP/ /mapuser tableauextension@MYCOMPANY.COM /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
  2. Make sure to have java jdk installed, and to ease the process have it added to environment variables.

    titleKerberos notes

    The expected output of setspn:

    Code Block
    C:\Users\mycompany> setspn -A HTTP/ tableauextension
    Checking domain DC=mycompany,DC=com
    Registering ServicePrincipalNames for,CN=Users,DC=mycompany,DC=com

    The expected output of ktpass:

    Code Block
    C:\Users\mycompany> ktpass /out C:\extension.keytab /princ HTTP/ /mapuser tableauextension@MYCOMPANY.COM /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
    Targeting domain controller:
    Successfully mapped HTTP/ to tableauextension.
    Type the password for HTTP/
    Type the password again to confirm:
    Password successfully set!
    Key created.
    Output keytab to C:\extension.keytab:
    Keytab version: 0x502
    keysize 80 HTTP/ ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x17 (RC4-HMAC) keyleng
    th 16 (0xf73dfeb2619a8bd9ec299ee67dc2402f)

    The expected output of kinit, after the setup, is complete:

    Code Block
    C:\> kinit -k -t .\extension.keytab HTTP/
    New ticket is stored in cache file C:\Users\mycompany\krb5cc_mycompany