Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  • briannigl

Tableau Server in a Parent-Child Domain Environment

If you've adopted Tableau Server on an enterprise scale prior to release 2020.2, you've run into an issue with support of Active Directory user and group objects that are contained in child domains. Tableau Server has had support for only one domain. If your users and groups were spread across the parent and child domains, you've had to implement workarounds - breaking company standards for where those user and group objects are located.


Prior to our first experience in helping a client evaluate and select Tableau Server, we were warned that Tableau Server was not quite an enterprise-ready product. Many of those rumors were based on a series of issues from Tableau's past, including poor server performance and stability issues; several individuals with past experience warned that Tableau Server could be a departmental solution at best. Thanks to enough fact-checking, most of those concerns had been addressed prior to Tableau Server release 2019.4. We were cautiously optimistic that Tableau Server could be adopted for more than a departmental solution. We knew during the selection process that we were in need of a workaround as our client's 3,000+ users were contained in Active Directory groups spread across 4 different child domains. We had no choice but to begin filing for exceptions and requesting AD groups in the parent domain where user objects were stored.


With Tableau Server release 2020.2, it is now possible to support parent and child domains. However, that effort requires access and permissions to run the Table Services Manager (TSM) command. This is less than ideal as it requires admin access to the server or servers running Tableau Server, something that many individuals with a Tableau Server Site Admin role lack.


If you need to support AD users and groups in child domains, you must whitelist those domains. The TSM configuration set option is labelled "wgserver.domain.whitelist". An example of the syntax follows:


tsm configuration set -k wgserver.domain.whitelist -v child1.parent.net,child2.parent.net,child3.parent.net


The list of child domains is unique to your environment. You will need to replace "child1.parent.net" with your first child domain name and continue replacing as needed. Expand or reduce this list to meet your organization's needs.


In order for those changes to take effect, you must restart Tableau Server and its associated services. To do this, one options is to run the "apply pending changes" command via TSM;:


tsm pending-changes apply


Alternatively, return to the admin portal and restart the Server via the drop-down options listed under "Tableau Server is Running" in the upper-right portion of the page.





For those organizations with multi-domain configurations that are still running on a release prior to Tableau Server 2020.2, we recommend you begin planning your upgrade. This feature set alone will help you align with company standards and eliminate workarounds.


If this is your first foray into Tableau, it is not unusual to find a command line-only fix to a problem. We'd love to see Tableau move this configuration setting to the User Identity & Access tab within the Admin Portal's Configuration Settings.


To encourage Tableau to implement an Admin UI fix, we recommend you vote for this feature in the Tableau User Community forum.


Convergency LLC is an IT consulting and advisory firm that specializes in cloud architecture, cloud migration, cloud audit and security risk management services.