Anyway, the accepted way to store a hashed password in Kerberos is to use a keytab file. Now the file can be created using a number of utilities. On a Windows machine, you can use ktpass.exe. Skyrim legendary edition free pc full version cracked. On Ubuntu Linux, you can use ktutil. Before I demonstrate how to create the keytab, a word about encryption. The create-keytab script, when executed will ask a number of questions to guide the creation of the keytab. At the end the keytab will be validated to ensure it was created successfully. There are a number of features but of note is the ability to create a keytab against an existing service account and reset the password to something secret. Now we got the magic krb5.keytab.proxy keyfile at least upload it via Webadmin at the bottom of this tab Web Security - HTTP/s - Advanced Now Login with the testuser on the 'client' mac via open directory and go to. If you want to associate a file with a new program (e.g. My-file.KEYTAB) you have two ways to do it. The first and the easiest one is to right-click on the selected KEYTAB file. From the drop-down menu select 'Choose default program', then click 'Browse' and find the desired program.
Kerberos authentication relies on credentials that are stored in specially formatted files called keytab files. You may need to generate keytab files for your Tableau Server deployment. This topic describes the keytab files that Tableau Server uses to access various services in a typical organization. You may need to generate keytabs for Tableau Server to integrate into the following services:
- User authentication (SSO) in Windows Active Directory
- Datasource delegation
- Operating system
- Directory service
If your organization includes IT professionals who handle identity, authentication, and/or security, then you should work with them to create a plan for generating appropriate keytabs for your Tableau Server deployment.
User authentication (SSO) in Windows Active Directory
If you will be using Active Directory as the identity store for Tableau Server, and you want users to authenticate with Kerberos SSO, then you will need to generate a keytab file for Tableau Server.
Tableau is running on.. | Need to manually generate a keytab? |
---|---|
Windows in Active Directory domain | Yes |
Linux in Active Directory domain | Yes |
Windows or Linux in non-Active Directory environment | Kerberos SSO is not a supported scenario. |
Follow these recommendations (for Windows and Linux versions of Tableau Server):
- Create a service account in your directory for Tableau Server.
- Create a keytab specifically for the Tableau Server service account. Do not reuse the keytab file that the computer account/OS uses to authenticate. You may use the same keytab for Kerberos SSO as you use for the directory authentication in the scenario above.
- You must create service principal names (SPN) in Active Directory for the Tableau Server service.
- Use the batch file in the next section to create the SPNs and the keytab file.
- After you have created the SPNs, upload the keytab file as described in Configure Kerberos.
Batch file: Set SPN and create keytab in Active Directory
You can use a batch file to set the service principal names (SPN) and create a keytab file. These operations are a part of the process to enable Kerberos SSO for Tableau Server (on Windows or Linux) running in Active Directory.
In previous versions of Tableau Server (before 2018.2), the configuration script was generated from the Tableau Server Configuration utility.
To generate a configuration script, copy and paste the following batch file contents into a text file. The batch file creates service principal names (SPN) for Tableau Server and will create a keytab file for the user you specify in the file.
Follow the directions in the file contents. After you have finished customizing the file, save it as a .bat file. Firefox clear history.
![For For](https://i.ytimg.com/vi/PEFhkNiRDQ0/maxresdefault.jpg)
This file must be run in an Active Directory domain by a Domain admin, who will be prompted for the service account password of the account you specify in the file.
The batch file uses the Windows set(Link opens in a new window), setspn(Link opens in a new window), and ktpass(Link opens in a new window) commands.
Note: The batch file below is self-documented. However, if you do not have experience with Kerberos and generating keytab files, we recommend that you read the Microsoft blog post, All you need to know about Keytab files(Link opens in a new window), before proceeding. Environmental details in your organization may require additional configuration of the ktpass command. For example, you must determine what to set for the
/crypto
parameter. We recommend specifying a single /crypto
value that is required by your KDC. See the Microsoft article, ktpass(Link opens in a new window) for the full list of supported values for the /crypto
parameter. SPN and keytab batch file contents
Operating system
If your organization uses Kerberos for authentication, then the computer where Tableau Server is running must be authenticated with the Kerberos realm in which it's running.
Tableau is running on.. | Need to manually generate a keytab? |
---|---|
Windows in Active Directory domain | No |
Linux in Active Directory domain | Yes |
Windows or Linux in non-Active Directory environment | Yes |
If you are running Tableau Server on Windows, and the computer is joined to the Active Directory, then you do not need to manage or generate a keytab file for the operating system.
If you are running Tableau Server on Linux in a Kerberos realm (MIT KDC or Active Directory), then you will need to generate a keytab file specifically for the computer operating system. The keytab you create for the computer should be specifically for OS authentication. Do not use the same keytab file for OS authentication that you will be using for the other services described later in this topic.
Directory service
If your organization uses a directory service, such as LDAP or Active Directory, to manage user identity, then Tableau Server requires read-only access to the directory.
Alternatively, you can configure Tableau Server to manage all accounts by installing with a local identity store. In this case, you do not need a keytab.
The following table summarizes keytab requirements:
Tableau is running on.. | Directory service | Need to manually generate a keytab? |
---|---|---|
Windows in AD domain | Active Directory | No |
Windows | LDAP (GSSAPI bind) | Yes |
Linux | Active Directory or LDAP (GSSAPI bind) | Yes |
Windows or Linux | Active Directory or LDAP (Simple bind) | No |
Windows or Linux | Local identity store | No keytab required. |
If you need to manually generate a keytab for this scenario, then you will use it for GSSAPI bind to the directory. Follow these recommendations:
- Create a service account in your directory for Tableau Server.
- Create a keytab specifically for the Tableau Server service account. Do not reuse the keytab file that the computer account/OS uses to authenticate.
- Upload the keytab file as part of the json configuration of the Tableau Server identity store. See identityStore Entity.
As part of your disaster recovery plan, we recommend keeping a backup of the keytab and conf files in a safe location off of the Tableau Server. The keytab and conf files that you add to Tableau Server will be stored and distributed to other nodes by the Client File Service. However, the files are not stored in a recoverable format. See Tableau Server Client File Service.
Datasource delegation
Generate Keytab File Mac
You can also use Kerberos delegation to access data sources in an Active Directory. In this scenario, users can be authenticated to Tableau Server with any supported authentication mechanism (SAML, local authentication, Kerberos, etc), but can access datasources that are enabled by Kerberos.
Tableau is running on.. | Need to manually generate a keytab? |
---|---|
Windows in Active Directory domain | Yes |
Linux in Active Directory domain | Yes |
Windows or Linux in non-Active Directory environment | Not a supported scenario. |
Follow these recommendations:
- The keytab file that you use for Kerberos delegation can be the same keytab that you use for Kerberos user authentication (SSO).
- The keytab must be mapped to the service principal for Kerberos delegation in Active Directory.
- You may use the same keytab for multiple data sources.
For more information, see the following configuration topics:
- Tableau Server on Linux: Enable Kerberos Delegation(Link opens in a new window)
- Tableau Server on Windows: Enabling Kerberos Delegation(Link opens in a new window)