Tableau Server Kerberos SSO setup

I have recently had to setup SSO with Kerberos on Tableau Server 9.0 and discovered that there is one step that is missing from otherwise fairly straight forward process.

I discovered it when I got following error after completing the setup outlined in administrator guide

After doing a fiddler trace I have found that when Kerberos ticket is being passed to Tableau server I am getting HTTP 400 (BAD REQUEST) error.  What this means in our case is that HTTP header is getting cut off by the web server because its size exceeds what it can accept. This is fairly common scenario with Kerberos because the ticket is fairly lengthy.

After digging through online help I have found no mention of increasing MAX HTTP HEADER size anywhere and none of the SSO setup guides mentioned anything about it.

So I ended up pinging Tableau folks and explaining the issue to them. It turned out that it is exactly what I suspected – bad request due to HTTP request getting cut off and they have provided following TABADMIN commands that you should run at any point during Kerberos SSO setup:

open command line and navigate to %your server install location%\9.0\bin\

tabadmin set gateway.http.request_size_limit 32768

tabadmin set tomcat.http.maxrequestsize 32768

 

However, I would recommend setting the value to 65536 to be on a safe side. So:

tabadmin set gateway.http.request_size_limit 65536

tabadmin set tomcat.http.maxrequestsize 65536

 

Don’t forget to run tabadmin restart command after you run these for the changes to take effect.

 

Good luck!