Skip to main content
Topics#Tableau Desktop & Web AuthoringTableau Community Forums Member (Inactive)'s Question
Tableau Community Forums Member (Inactive) (Salesforce) asked in #Tableau Desktop & Web Authoring
Aug 22, 2014, 1:01 PM

Selective authentication doubt using trust relationship (For using Tableau Server)

Hi,

 

I'm using the following scenario:

 

  • Domain DOMAIN1.CORP (FOREST 1) 

    Active Directory/DNS 

    Windows Server 2008 R2 

    IP: 192.168.0.1

 

  • Domain DOMAIN2.SSC (FOREST 2) 

    Active Directory/DNS 

    Windows Server 2003 R2 

    IP: 10.0.0.1

 

  • Tableau Server (BI software) - Joined at DOMAIN2.SSC

        Windows Server 2012

 

        IP: 10.0.0.2

 

 

        Functional level of the forests and domains: 2003

 

The software is configured to use AD authentication using DOMAIN2.SSC.

We need to allow that server to add some users from the DOMAIN1.CORP domain.

 

Configured the trust relationship guided from their website (http://kb.tableausoftware.com/articles/knowledgebase/active-directory-domains).

The problem is, the people on the DOMAIN1.CORP is complaining about security for using the two-way trust.

 

So I was trying to change the authentication mode to "selective".

The problem is:

When I configure the "outgoing trust" as "selective authentication", the software stops gathering information from DOMAIN1.CORP.

I went to the DOMAIN2.SSC, AD Users and Computers snap-in, computers OU and set the "Allow to be authenticated" permission on the computer account for the user of the DOMAIN1.CORP that I want to add on the software.

Nothing changes.

 

Forest2 is the trusting domain, Forest1 is the trusted domain.

For logon purposes it's working. The user only logs on when I set the "Allowed to authenticate" on the server.

But for the Tableau software, it isn't working.

 

There is a log error on Tableau Server where I can see what is failing?

2 answers
  1. Tableau Community Forums Member (Inactive) (Salesforce)
    Aug 24, 2014, 7:35 PM

    Vandrey -

     

    I'm not a support person myself, but I'm pretty sure that Tableau Server simply doesn't support what you're trying to do (using selective authentication). I took a quick look at some old support cases and see other folks asking the same question and getting that answer. You may want to open a support case to confirm that this is still the way things work, however.

     

    Sorry.

     

    I believe that Apache does the work of negotiating "who the AD user is" via NTLM using the mod_auth_sspi module, so if I'd have to guess, you'll find errors in the apache logs: Tableau\Tableau Server\data\tabsvc\logs\httpd

     

    Unfortunately, if I'm correct and we don't support this behavior to begin with, the logs become pretty much irrelevant...

Write an answer...
0/9000