Was this page helpful?
Yes No
Tableau Help > Tableau Server for Windows Help > 

User Management in Active Directory Deployments

This topic describes important technical details that you should be familiar with if you use Active Directory to authenticate users for Tableau Sever.

Note: This topic assumes that you are familiar with Active Directory user management and basic Active Directory schema and domain concepts.

Active Directory user authentication and Tableau Server

Tableau Server stores all user names in the Tableau Server identity store, which is managed by the repository. If Tableau Server is configured to use Active Directory for authentication, you must first import user identities from Active Directory to the identity store. When users sign in to Tableau Server, their credentials are passed to Active Directory, which is responsible for authenticating the user; Tableau Server does not perform this authentication. (By default, NTLM is used for authentication, but you can enable Kerberos or SAML for single sign-on functionality—however, in all these cases, authentication is left to Active Directory.) However, the Tableau user names stored in the identity store are associated with rights and permissions for Tableau Server. Therefore, after authentication is verified, Tableau Server manages user access (authorization) for Tableau resources.

Active Directory user name attributes and Tableau Server

Active Directory uniquely identifies user objects using several attributes. (For details, see User Naming Attributes on the MSDN website.) Tableau Server relies on two Active Directory user naming attributes:

  • sAMAccountName. This attribute specifies the logon name that was originally designed for use with older versions of Windows In many organizations, this name is combined with the NetBIOS name for authentication, using a format like example\jsmith, where example is the NetBIOS name and jsmith is the sAMAccountName value. Due to the original design in Windows, the sAMAccountName value must be less than 20 characters.

    In the Windows Active Directory Users and Computers administrative console, this value is in the field labeled User logon name (pre-Windows 2000) on the Account tab of the user object.

  • userPrincipalName (UPN). This attribute specifies a user name in the format jsmith@example.com, where jsmith is the UPN prefix and @example.com is the UPN suffix.

    In the Windows Active Directory Users and Computers administrative console, the UPN is a concatenation of two fields on the Account tab of the user object: the User logon name field, and the domain drop-down list next to it.

Adding users from Active Directory

You can add users individually from Active Directory, either by typing them in the server environment or by creating a CSV file and importing the users. You can also add Active Directory users by creating a group via Active Directory and importing all of the group's users. The result can be different depending on which approach you're using.

Adding users individually

In most case, Tableau Server uses the sAMAccountName value for the user name. When you import users individually from Active Directory (either by typing in their names or by using a CSV file), Tableau queries Active Directory with the user name that you provide. If a match is found, then that name is imported into Tableau Server and it becomes the name that the user enters in order to sign in to Tableau Server.

The user name that Tableau Sever will import into the identity store will be the sAMAccountName value unless one of the following is true: 

  • If the user name that you specify is longer than 20 characters.

  • If the user name that you specify contains an @ character.

If the user name you enter meets either of the these conditions, then Tableau will import the UPN prefix of the userPrincipalName attribute, which will become the user's Tableau logon user name.

If user names were inadvertently imported using UPN names, you can delete the accounts in Tableau Server and then reimport those accounts using the sAMAccountName value for the user name, as shown in User logon name (pre-Windows 2000) in the Windows Active Directory Users and Computers administrative console.

Adding user groups

If you import an Active Directory user group, Tableau will import all users from the group using the sAMAccountName.

Sync behavior when removing users from Active Directory

Users cannot be automatically removed from Tableau Server through an Active Directory sync operation. Users that are disabled, deleted, or removed from groups in Active Directory remain on Tableau Server so that you can audit and reassign the user's content before removing the user's account completely.

However, Tableau Server will act upon user objects differently based how the status of that user object changes in Active Directory. There are two scenarios: deleting/disabling users in Active Directory or removing users from synchronized groups in Active Directory.

When you delete or disable a user in Active Directory and then synchronize that user's group on Tableau Server, the following occurs:

  • The user is removed from the Tableau Server group you synchronized.
  • The user's role is set to "unlicensed.”
  • The user will still belong to the All Users group.
  • The user is unable to sign in to Tableau Server.

When you remove a user from a group in Active Directory and then synchronize that group on Tableau Server, the following occurs:

  • The user is removed from the Tableau Server group you synchronized.
  • The users role is retained: it is not set to “unlicensed.”
  • The user will still belong to the All Users group.
  • The user will still have permission to the Tableau Server with access to everything that the All Users group is granted permission to use.

In both instances, to remove a user from Tableau Server, the server administrator must delete the user from the Server Users page in Tableau Server.

Domain nicknames

In Tableau Server, domain nickname is equivalent to the Windows NetBIOS domain name. In a Windows Active Directory forest, a fully qualified domain name (FQDN) can have an arbitrary NetBIOS name. The NetBIOS name is used as the domain identifier when a user logs in to Active Directory.

For example, the FQDN west.na.corp.lan might be configured with a NetBIOS name (nickname) of SEATTLE. The user jsmith in that domain could log on to Windows using either of the following user names:

  • west.na.corp.example.com\jsmith
  • SEATTLE\jsmith

If you want your users to sign in to Tableau Server with a NetBIOS name instead of the FQDN, then you'll need to verify that the nickname value for each domain where users log in is set. See editdomain for information on how to view and set the nickname value for each domain.

Support for multiple domains

You can add users from a domain that's different from the domain of the Tableau Server computer in these cases:

  • Two-way trust has been established between the server’s domain and the users’ domain.

  • The server's domain trusts the users’ domain (one-way trust). See Domain Trust Requirements.

The first time you add a user from the non-server domain, use the fully-qualified domain name with the user name. Any additional users you add from that domain can be added using the domain’s nickname, provided the nickname matches the NetBIOS name.

Duplicate display names

If user display names are not unique across multiple domains, then managing users with the same display name in Tableau can be confusing. Tableau Server will display the same name for two users. For example, consider an organization with two domains, example.lan and example2.lan. If user John Smith exists in both domains, then adding that user to groups and other administrative tasks will be confusing in Tableau Server. In this scenario, consider updating the display name in Active Directory for one of the users to differentiate the accounts.

Sign in to Tableau Server with NetBIOS name

Users can sign in to Tableau Server using the domain nickname (NetBIOS name), for example, SEATTLE\jsmith.

Tableau Server cannot query for NetBIOS name for a given FQDN. As a result, Tableau sets the nickname of a given FQDN according to the first entry in the namespace. For example, given the FQDN west.na.corp.lan , Tableau sets the nickname to west.

Therefore, you might need to update the domain nickname on Tableau Server before users can sign in using the nickname. If you do not update the nickname, users will have to sign in using a fully qualified domain name. For more information, see Users From New Domain Unable to Log In and Do Not Appear in User List in the Tableau Knowledge Base.