Browser Support for Kerberos SSO to Tableau Server (kerberos, sso, authentication)

To use browser-based Kerberos Single Sign-on (SSO), the following must be true:
  • Kerberos must be enabled on Tableau Server
  • The user must have permission to access Tableau Server (they can log in using a user name and password)
  • The user must be authenticated to Active Directory (AD) through Kerberos on the client computer (they have a Kerberos Ticket Granting Ticket (TGT) - this is a normal part of authenticating with Kerberos)
Note: If Kerberos SSO fails you can still sign in to Tableau Server with your user name and password.

Client computers (non-mobile)

The following combinations of operating system and Tableau Desktop or browser support Kerberos authentication to Tableau Server without special configuration unless otherwise noted:
  • Windows
    • Tableau Desktop 8.3
    • Internet Explorer - supported, see Note 1
    • Chrome - supported, see Note 1
    • Firefox - requires configuration, see Note 2
    • Safari - not supported
  • Mac OS X
    • Tableau Desktop 8.3
    • Safari - supported
    • Chrome - see Note 3
    • Firefox - see Note 2
    • Internet Explorer - not supported

Client computers (mobile)

The following combinations of operating system and Tableau App or browser support Kerberos authentication to Tableau Server:
  • Mac iOS
    • Tableau App 8.3 - see Note 4
    • Safari - see Note 4
    • Chrome - not supported
  • Android - see Note 5
    • Tableau App 8.3
    • Android Browser
    • Chrome

Additional Information for Internet Explorer and Google Chrome on Windows

Kerberos SSO is supported on both Internet Explorer and Google Chrome but requires configuration in Windows Internet Options:
  1. In Windows Control Panel, click Internet Options.
  2. Click the Advanced tab and scroll down to the Security section.
  3. Select Enable Integrated Windows Authentication.
  4. Click Apply.

The Tableau Server URL must be in the Local internet zone. In many cases Internet Explorer's automatic detection of intranet zones will take care of this If it does not you need to manually add the URL to the Local intranet zone:
  1. In the Internet Options dialog box, click the Security tab.
  2. Click Sites
  3. In the Local intranet dialog box, click Advanced.
  4. Enter the Tableau Server name (URL) in the Add the website to the zone box and click Add
  5. Click OK.

Additional Information for Firefox on Windows and Mac OS X

Kerberos SSO is supported in Firefox on both Windows and Mac, but requires the following configuration:
  1. In Firefox, enter about:config in the address bar and press Enter.
  2. Click I'll be careful, I promise when warned about changing advanced settings.
  3. Enter negotiate in the Search box.
  4. Double-click network.negotiate-auth.trusted-urls and enter the Tableau Server's fully qualified domain name (FQDN) or domain. For example, tableau.mydomain.com or mydomain.com.
  5. Double-click network.negotiate-auth.allow-non-fqdn to change this to true.
The Tableau Server URL must be in the Local internet zone. In many cases Internet Explorer's automatic detection of intranet zones will take care of this If it does not you need to manually add the URL to the Local intranet zone:

Additional Information Chrome on Mac OS X

According to Chrome documentation, Kerberos SSO should be possible on a Mac when you launch Chrome from a terminal window with the following command (where "tableauserver.domain.com" is the URL for Tableau Server in your environment):
  • open -a "Google Chrome.app" --args --auth-server-whitelist="tableauserver.domain.com"
but due to inconsistent results when testing with Chrome,Tableau recommends using Safari or Firefox if you want Kerberos SSO on a Mac. See the Integrated Authentication section of the HTTP authentication page on The Chromium Projects for more information on using Chrome with Kerberos on a Mac.
Note: Chrome on Mac OS X continues to be supported with Tableau Server, but users will be prompted to log in with their user name and password (single sign-on will not work).

Additional Information for Mobile Safari and Tableau App 8.3 on Mac iOS

Kerberos SSO is supported if iOS is configured for Kerberos. The iOS device must have a Kerberos authenticationconfiguration profile installed. This is usually done by an enterprise IT group. Tableau Support cannot assist with configuring iOS devices for Kerberos.

Additional Information for Android

Kerberos SSO is not supported on the Android operating system because there is no platform-level support for Kerberos. You can still use your Android device and the Tableau App 8.3 or a browser to connect to and log in to Tableau Server.