Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Setup a technical user for the extension to enable Kerberos authentication; (reference here, C.2)
    1. Create a New user like in step 2
    2. Configure a user with the following information (Example: root domain name → mycompany.com : NetBIOS → mycompany)
      1. First Name: tableauextension (These names are just as an example)
      2. sAMAccountName: tableauextension
      3. Setup a password
      4. On the right in Password Options choose: other password options and then password never expires.
    3. Head to the terminal to set this user as an SPN (Service Principal Name): (Format is: setspn -A [principal] [sAMAccountName])

      Code Block
      languagetext
      setspn -A HTTP/tableauextension.mycompany.com tableauextension
      Info

      Service Principal Name(SPN) needs to be setup with HTTP and a server name tableauextension.mycompany.com where tomcat servlet container is run. This is used with tomcat domain user and its keytab is then used as a service credential.

    4. Create a keytab for the user, make sure you then copy it to a place where you have access to. Use the following command:

      1. In /mapuser you should specify the Active Directory user.
      2. In /princ you should write the SPN you chose in c.
      3. Int /pass is the password defined in the AD for the user.


      Code Block
      languagetext
      ktpass /out C:\extension.keytab /princ HTTP/tableauextension.mycompany.com@MYCOMPANY.COM /mapuser tableauextension@MYCOMPANY.COM /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
  2. Make sure to have java jdk installed, and to ease the process have it added to environment variables.

    Info
    titleKerberos notes

    The expected output of setspn:

    Code Block
    C:\Users\mycompany> setspn -A HTTP/tableauextension.mycompany.com tableauextension
    Checking domain DC=mycompany,DC=com
    
    Registering ServicePrincipalNames for CN=tableauextension.mycompany.com,CN=Users,DC=mycompany,DC=com
            HTTP/tableauextension.mycompany.comssa
    

    The expected output of ktpass:

    Code Block
    C:\Users\mycompany> ktpass /out C:\extension.keytab /princ HTTP/tableauextension.mycompany.com@MYCOMPANY.COM /mapuser tableauextension@MYCOMPANY.COM /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
    Targeting domain controller: kerberos-server.mycompany.com
    Successfully mapped HTTP/tableauextension.mycompany.com to tableauextension.
    Type the password for HTTP/tableauextension.mycompany.com:
    Type the password again to confirm:
    Password successfully set!
    Key created.
    Output keytab to C:\extension.keytab:
    Keytab version: 0x502
    keysize 80 HTTP/tableauextension.mycompany.com@MYCOMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x17 (RC4-HMAC) keyleng
    th 16 (0xf73dfeb2619a8bd9ec299ee67dc2402f)
    
    
    

    The expected output of kinit, after the setup, is complete:

    Code Block
    C:\> kinit -k -t .\extension.keytab HTTP/tableauextension.mycompany.com
    New ticket is stored in cache file C:\Users\mycompany\krb5cc_mycompany

...