Errors "Sign in Failed" or "Tableau Server could not authenticate you automatically." When Authenticating to Tableau Server via Kerberos

Option 1

Verify that your web browser is configured for Kerberos SSO. For more information, see Browser Support for Kerberos SSO.

Option 2

Depending on your environment security requirements, specific encryption may be required. To include all encryption possible, add the parameter /crypto All to ktpass command in the script generated by Tableau Server. See details of the KTPASS command in this article: Ktpass on Microsoft Technet.

Option 3

Depending on your environment requirements, it may be required to create a keytab for multiple SPNs by replacing the ktpass command in the script generated by Tableau Server by the following:

Once done, provide to Tableau Server the file generated kerberos2SPN.keytab.

For more information, see details of the KTPASS command in Ktpass on Microsoft Technet.

Option 4

If the AD password for the Run As Service account contains special characters that are not escaped, the keytab file will be generated with a wrong password and Kerberos SSO may fail.
Make sure to do the following: 

1. Instead of using a batch file, run ktpass command directly in an elevated command prompt.
2. Rather than !adpass! enter the password without quotes.
3. If the password contains <, then add ^ in front of it which functions as an escape character. For example, if the password is P@ss!w0rD#<43er enter:

   ktpass /princ HTTP/!--FQDN--!@!--Kerberos_Realm--! /pass P@ss!w0rD#^<43er /ptype KRB5_NT_PRINCIPAL /crypto DES-CBC-CRC /out keytabs\kerberos.keytab

Option 5

When Tableau Server is configured with multiple networks cards, network traffic may not be routed through the desired network interface card causing a mismatch. 

To address this problem, you can disable the second NIC, or use the following procedure to assign metrics to each NIC on the computer.

Note: Updating DNS or using local routing in the etc\hosts file to refer to the preferred IP address will not resolve this issue.

Assign metrics for each network interface

A metric is a way to indicate the “cost” of using a network interface. The higher the metric, the more expensive it is to use. By default in Windows, Automatic Metric is enabled, but you can manually assign metrics to each network interface to indicate which network interface is preferred. The lower a metric value the more preferred the interface is.

To manually configure metrics for a network interface:

1. In Control Panel, click Network and Internet.

2. Click Network and Sharing Center.

3. Click Change adapter settings.

4. Right-click on a network interface and click Properties.

5. Select Internet Protocol Version 4(TCP/IPv4) and click Properties.

6. On the General tab, click Advanced.

7. On the IP Settings tab, clear Automatic metric and enter the metric that you want in the Interface metric box.

   The metric indicates the cost of using the interface, so give your preferred interface a lower value than the other interface(s) on the computer.

Repeat the process for any other interfaces, giving them metrics based on their preference. The interface that Tableau Server uses should be the preferred interface and have the lowest value metric. For example, give the preferred network interface a metric of 5 and the secondary interface a value of 10.​

Disclaimer: Although we make every effort to ensure links to external websites are accurate, up to date, and relevant, Tableau cannot take responsibility for the accuracy or freshness of pages maintained by external providers. Contact the external site for answers to questions regarding its content.​

For more information about Windows and using the metric feature for IP routes, see the following Microsoft documentation:

• https://technet.microsoft.com/en-us/library/cc771274.aspx