Kerberos on Write-Back Server

Owned by Ricardo Pires
Last updated: Mar 01, 2024 by Bruno Gomes
3 min read

Summary

Kerberos authentication is optional so you should only follow this guide if you are using this option on Write-Back Manager configuration.

If Kerberos is already being used (with Tableau Server for instance), the technical user for Write-Back can be the same as on Tableau Server and in this case, you can skip these steps and carry on with the configuration on Manger. Please have in hand the corresponding:

  • The user corresponding to SPN (service principal name)
  • The keytab for the user (Kerberos)

How to Prepare for Kerberos Configuration


You are required to have Active Directory previously set up.


  1. Setup a technical user for the extension to enable Kerberos authentication; (reference here, C.2)
    1. Create a New user
    2. Configure a user with the following information (Example: root domain name → mycompany.com : NetBIOS → mycompany)
      1. First Name: tableauextension (These names are just as an example)
      2. sAMAccountName: tableauextension
      3. Setup a password
      4. On the right in Password Options choose: other password options and then password never expires.

    3. Head to the terminal to set this user as an SPN (Service Principal Name): (Format is: setspn -A [principal] [sAMAccountName])

      setspn -S HTTP/tableauextension.mycompany.com tableauextension

      Service Principal Name(SPN) needs to be set up with HTTP and a server name tableauextension.mycompany.com where tomcat servlet container is run. This is used with tomcat domain user and its keytab is then used as a service credential.

    4. Create a keytab for the user, and make sure you then copy it to a place where you have access. Use the following command:

      1. In /mapuser you should specify the Active Directory user.
      2. In /princ you should write the SPN you chose in c.
      3. Int /pass is the password defined in the AD for the user.
      ktpass /out C:\extension.keytab /princ HTTP/tableauextension.mycompany.com@MYCOMPANY.COM /mapuser tableauextension@MYCOMPANY.COM /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT

  2. Make sure to have java jdk installed, and to ease the process have it added to environment variables.

    Kerberos notes

    The expected output of setspn:

    C:\Users\mycompany> setspn -A HTTP/tableauextension.mycompany.com tableauextension
Checking domain DC=mycompany,DC=com

Registering ServicePrincipalNames for CN=tableauextension.mycompany.com,CN=Users,DC=mycompany,DC=com
        HTTP/tableauextension.mycompany.comssa

    The expected output of ktpass:

    C:\Users\mycompany> ktpass /out C:\extension.keytab /princ HTTP/tableauextension.mycompany.com@MYCOMPANY.COM /mapuser tableauextension@MYCOMPANY.COM /pass * /ptype KRB5_NT_PRINCIPAL /crypto RC4-HMAC-NT
Targeting domain controller: kerberos-server.mycompany.com
Successfully mapped HTTP/tableauextension.mycompany.com to tableauextension.
Type the password for HTTP/tableauextension.mycompany.com:
Type the password again to confirm:
Password successfully set!
Key created.
Output keytab to C:\extension.keytab:
Keytab version: 0x502
keysize 80 HTTP/tableauextension.mycompany.com@MYCOMPANY.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x17 (RC4-HMAC) keyleng
th 16 (0xf73dfeb2619a8bd9ec299ee67dc2402f)

    The expected output of kinit, after the setup, is complete:

    C:\> kinit -k -t .\extension.keytab HTTP/tableauextension.mycompany.com
New ticket is stored in cache file C:\Users\mycompany\krb5cc_mycompany


Using Kerberos when Write-Back is not installed in the Active Directory machine


If using Kerberos on a different machine than the one where Active Directory does not bring up any issues, then you don't have to configure anything described below. Please only use this resource, if Kerberos fails when Write-Back is installed in a different machine than where Active Directory is. 


If during your installation you are required to have Write-Back installed in a different machine than where the Active Directory is, then you need to perform an additional configuration. 


For Write-Back to pick up the Kerberos Realm configuration there needs to exist a kb5 configuration file, the content of the kb5 file should be the same for both Linux and Windows machines, only the file name might differ. 


The content of the file is something similar as (the values are just for demonstration, make sure that the realm name is always in UPPERCASE):


[libdefaults]
default_realm = MYCOMPANY.COM

[realms]
MYCOMPANY.COM = {
   kdc = your domain controller, e.g. mycompany.com
   admin_server = your admin_server, usually the same as kdc
}

[domain_realm]
mycompany.com = MYCOMPANY.COM
.mycompany.com = MYCOMPANY.COM
 Windows

Filename: krb5.ini

Location: C:\Windows\krb5.ini

 Linux

Filename: krb5.conf

Location: /etc/krb5.conf