The keytab file is an encrypted, local, on-disk copy of the host's key. The keytab file, like the stash file (Create the Database) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. If you want to associate a file with a new program (e.g. My-file.KEYTAB) you have two ways to do it. The first and the easiest one is to right-click on the selected KEYTAB file. From the drop-down menu select 'Choose default program', then click 'Browse' and find the desired program.
Kerberos authentication relies on credentials that are stored in specially formatted files called keytab files. You may need to generate keytab files for your Tableau Server deployment. This topic describes the keytab files that Tableau Server uses to access various services in a typical organization. You may need to generate keytabs for Tableau Server to integrate into the following services:
If your organization includes IT professionals who handle identity, authentication, and/or security, then you should work with them to create a plan for generating appropriate keytabs for your Tableau Server deployment.
User authentication (SSO) in Windows Active DirectoryHow To Generate Keytab File For Mac Os
If you will be using Active Directory as the identity store for Tableau Server, and you want users to authenticate with Kerberos SSO, then you will need to generate a keytab file for Tableau Server.
Follow these recommendations (for Windows and Linux versions of Tableau Server):
Batch file: Set SPN and create keytab in Active Directory
You can use a batch file to set the service principal names (SPN) and create a keytab file. These operations are a part of the process to enable Kerberos SSO for Tableau Server (on Windows or Linux) running in Active Directory.
In previous versions of Tableau Server (before 2018.2), the configuration script was generated from the Tableau Server Configuration utility.
To generate a configuration script, copy and paste the following batch file contents into a text file. The batch file creates service principal names (SPN) for Tableau Server and will create a keytab file for the user you specify in the file.
Follow the directions in the file contents. After you have finished customizing the file, save it as a .bat file.
This file must be run in an Active Directory domain by a Domain admin, who will be prompted for the service account password of the account you specify in the file.
The batch file uses the Windows set(Link opens in a new window), setspn(Link opens in a new window), and ktpass(Link opens in a new window) commands.
Note: The batch file below is self-documented. However, if you do not have experience with Kerberos and generating keytab files, we recommend that you read the Microsoft blog post, All you need to know about Keytab files(Link opens in a new window), before proceeding. Environmental details in your organization may require additional configuration of the ktpass command. For example, you must determine what to set for the
/crypto parameter. We recommend specifying a single /crypto value that is required by your KDC. See the Microsoft article, ktpass(Link opens in a new window) for the full list of supported values for the /crypto parameter.
SPN and keytab batch file contents
Operating system
If your organization uses Kerberos for authentication, then the computer where Tableau Server is running must be authenticated with the Kerberos realm in which it's running.
![]()
If you are running Tableau Server on Windows, and the computer is joined to the Active Directory, then you do not need to manage or generate a keytab file for the operating system.
If you are running Tableau Server on Linux in a Kerberos realm (MIT KDC or Active Directory), then you will need to generate a keytab file specifically for the computer operating system. The keytab you create for the computer should be specifically for OS authentication. Do not use the same keytab file for OS authentication that you will be using for the other services described later in this topic.
Directory service
If your organization uses a directory service, such as LDAP or Active Directory, to manage user identity, then Tableau Server requires read-only access to the directory.
Alternatively, you can configure Tableau Server to manage all accounts by installing with a local identity store. In this case, you do not need a keytab.
The following table summarizes keytab requirements:
If you need to manually generate a keytab for this scenario, then you will use it for GSSAPI bind to the directory. Follow these recommendations:
As part of your disaster recovery plan, we recommend keeping a backup of the keytab and conf files in a safe location off of the Tableau Server. The keytab and conf files that you add to Tableau Server will be stored and distributed to other nodes by the Client File Service. However, the files are not stored in a recoverable format. See Tableau Server Client File Service.
Datasource delegation
You can also use Kerberos delegation to access data sources in an Active Directory. In this scenario, users can be authenticated to Tableau Server with any supported authentication mechanism (SAML, local authentication, Kerberos, etc), but can access datasources that are enabled by Kerberos.
View Keytab File
Follow these recommendations:
For more information, see the following configuration topics:
How To Create Keytab File
Background
As well as storing user accounts and their passwords, the Kerberos servers (KDCs) store accounts and keys (similar to passwords) for systems. Those accounts and keys are used as part of the authentication process to verify which user is connecting to a network service. These accounts are generally called service principals.
Every network service to which a user may authenticate needs to have a service principal with a corresponding key. The network service has to have a copy of that key on the system so that it can verify a user's identity. That key is stored in a specially formatted file called a keytab. One keytab file can store multiple keys, either multiple keys for the same service principal or even keys for several different service principals. On a UNIX system, you can view the contents of a keytab with the
klist -k command.
Applications that need to authenticate to network services on an automated basis also need to have service principals and keys in a keytab. For example, any process that writes into a protected directory in AFS needs to have a service principal that it can use to authenticate to AFS.
Generate Keytab File Mac
Due to how Kerberos works, a network service needs to have a separate key for every type of encryption that it supports. We currently support 256-bit AES encryption (the strongest and most modern, but not universally supported yet), triple-DES, and (for legacy compatibility, which will be phased out) DES. Most service principals will therefore have three keys, one for each type of encryption. Kerberos automatically selects the strongest key supported by both the client and server, so normally you don't have to worry about this implementation detail.
To recap, a service principal is an account, an identity, stored in Kerberos for a particular application. That service principal has one or more keys, similar to passwords. Those keys are stored on the server on which the service runs in a file called a keytab, which you can view with the
klist -k command.
Types of service principals![]()
There are two basic types of service principals in use at Stanford. The first set are called the 'host-based' service principals, meaning that they're tied to a network service running on a particular host. Principals of this type will always have a name like:
where type specifies the type of service and system is the system on which that service is running. The most commonly used service types are:
To allow remote login to a system using Kerberos authentication, that system must have a host/* service principal. That principal is also used to verify local logins (to the console, for example) if it exists. The keytab for that service principal must be installed locally in the path expected by the login servers (usually /etc/krb5.keytab).
To use WebAuth, the web server must have a webauth/* service principal and its keytab must be installed in the location set in the WebAuth configuration.
Host-based principals should not be shared and should not be reused. Each host providing a service should have a separate host-based principal for that service, and if that host is replaced by another with a new name, a new host-based principal should be obtained. Specifically, even if a set of web servers are part of a pool that uses WebAuth to serve one site, each server should have a separate host-based WebAuth principal and not share the same one. The principal name is independent of the URL of the web site being served and should match the system's primary name in NetDB.
Other supported but less-often-used services are:
In order to use Kerberos authentication with the corresponding network service, you must have the appropriate service principal and install the keytab in a location used by that network service.
Generate Keytab File Windows
The second type of service principal is a principal used by an application to authenticate to other network services. The most common network services to which automated processes want to authenticate is the campus LDAP directory service and campus-wide AFS file system, but some applications may need access to other services as well. These types of service principals are associated with an application rather than a particular system and would move to a different system if that application were moved. At Stanford, these principals are named:
where application is some concise but meaningful designator for the application that will use this service principal.
Creating service principalsHow To Generate Keytab File In Java
Stanford uses a system called the wallet for managing nearly all service principals and setting permissions on those principals so that campus system administrators can download and install keytabs for the appropriate service principals. For information about that process, see Downloading Keytabs with the Wallet.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |