Last Updated: 2023-01-31 19:00:31
Curator 101: Troubleshooting Trusted Ticket Authentication
Matthew Orr
Curator Engineer
November 19, 2021
IYKYK. Curator + Tableau + Trusted Tickets unlocks some powerful features. If you don’t know what Trusted Ticket Authentication is, it’s telling your Tableau Server that you trust Curator to authenticate users on its behalf. The way Tableau Server knows to trust Curator is by telling it which server Curator will be making requests from. This is usually a straightforward process, but there are a few gotchas depending on how you’ve configured Tableau Server, Curator or your network.
The gist of all of the issues you’ll run into with Trusted Ticket failures is that Tableau Server saw Curator’s request for a Trusted Ticket come from a different IP than the one you told Tableau it would be coming from. Unfortunately, there’s not a lot Curator can help with if this happens. The bulk of the work will be on your Tableau Server administrators or network administrators to figure out and fix. I won’t say that you need to butter them up at this point, but it probably wouldn’t hurt.
Setting up Curator as a Trusted Host
To set up Trusted Ticket Authentication to begin with, you need to tell Tableau Server which IPs or hostnames Curator will be making requests from. This is what Tableau calls a trusted host. Curator goes the extra mile by listing the IPs and hostnames it is aware of under Backend > Settings > Tableau > Tableau Server Settings > Connectivity tab > REST Connection section (be sure to toggle on the Use Trusted Ticket Authentication setting):
Depending on your network topology, these IPs and hostnames may or may not be accurate for what Tableau Server will see by the time the request reaches it. Things like proxies, reverse proxies, load balancers, firewalls, NAT, etc. can affect it.
Once you have the valid IP(s) and/or hostname(s) for Curator, you’ll configure Tableau by using the Tableau Services Manager (TSM). Modern versions of Tableau Server include a web interface for adding IPs and hostnames as trusted hosts under Configuration > User Identity & Access > Trusted Authentication. Here’s Tableau’s documentation on setting up trusted hosts:
https://help.tableau.com/current/server/en-us/trusted_auth_trustIP.htm
Once Tableau Server has been configured, Curator once again goes another mile (It’s up to two now. Let’s hope it remembered to wear a step tracker.) by providing a handy utility to test the configuration. Click on the Check Trusted Tickets button to verify Trusted Ticket Authentication works. If you’re longing for some positive feedback, feel free to just stop by every few days to hear the “Great job” part. Curator won’t mind patting you on the back as often as you feel you need it:
Important Security Note
As the name implies, there is an element of trust taking place. One thing that can violate that trust is inadvertently setting a reverse proxy or load balancer as a trusted host. It’s very likely that more traffic than just Curator comes through that reverse proxy or load balancer. If you whitelist it as a trusted host, then Tableau will be trusting requests that come from other sources through that reverse proxy or load balancer. Worst-case scenario is that all internet traffic routes through that reverse proxy or load balancer, and now any devious person in the world can request a trusted ticket to authenticate as any user.
What to Do If It Doesn’t Work
You followed the instructions, but it still isn’t working. No, Curator isn’t just holding a grudge because…well, you know what you did. There’s likely something in the configuration that needs tweaked. Since the only thing that can really go wrong with Tableau’s Trusted Ticket Authentication is that Curator’s request for Trusted Tickets looks like it’s coming from somewhere other than Curator, the most common causes are:
- A network appliance sitting between Curator and Tableau Server may be messing with the request.
- Curator has been set up in a High Availability (HA) configuration where requests may be coming from several nodes with their own IPs or hostnames.
Look at Tableau Server Logs
To see why Tableau Server has rudely denied a Trusted Ticket request, you can view Tableau’s vizql logs as long as the Trusted Ticket log level is set to debug. The vizql logs can be found at ProgramData/Tableau/TableauServer/data/tabsvc/logs/vizqlserver/vizql-*.log.
To change the log level, run these commands:
tsm configuration set -k vizqlserver.trustedticket.log_level -v debug
tsm pending-changes apply
Here’s Tableau’s documentation on troubleshooting issues by viewing the logs: https://help.tableau.com/current/server/en-us/trusted_auth_trouble.htm.
Trusting Gateways
If there is a network appliance, like reverse proxy or load balancer, sitting between Curator and Tableau Server that may be messing with the requests, that appliance may need to be configured as a trusted gateway. For security reasons, it’s extremely important to not confuse these as trusted hosts. Trusted gateways tell Tableau Server that the request may route through specified gateways, even though the request still originated from Curator’s trusted host entry.
To set up a network appliance as a trusted gateway, use the following TSM commands:
tsm configuration set gateway.trusted
tsm pending-changes apply
Here’s Tableau’s documentation for setting up trusted gateways: https://help.tableau.com/current/server/en-us/proxy.htm#Configur.
Passing Through Headers
When using reverse proxies or load balancers, not only should they be configured as trusted gateways, but the reverse proxy or load balancer should also be configured to pass through certain headers – most notably the REMOTE_ADDR and X-FORWARDED-FOR headers. This allows Tableau Server to see that the Trusted Ticket request originated from Curator.
See Tableau’s documentation on which headers need to be passed through your reverse proxy or load balancer: https://help.tableau.com/current/server/en-us/proxy.htm#reverse-proxy-and-user-authentication.
Multiple Curator Nodes
If you receive occasional trusted ticket authentication errors and your Curator portal is configured to use multiple nodes as an HA setup with a load balancer, it’s likely that only a subset of Curator’s nodes were configured as trusted hosts. To work consistently, each of those nodes will need to be configured as a trusted host within Tableau Server. Again, the load balancer or another network appliance may be tweaking the requests from each node, so you may need to do some investigation to determine what the IP address or hostname looks like by the time it reaches your Tableau Server.
Alternate Tableau Server URL
In some cases, Curator and Tableau Server may sit behind a reverse proxy where the URL users use to load dashboards in their browsers is different than the URL Curator uses to communicate with Tableau Server. For instance, users get to dashboards by going to https://tableau.yourcompany.com whereas Curator uses an internal IP address to reach Tableau Server.
If this is the case, then you will need to configure the Tableau Server URL as the URL Curator will use, and then set the Alternate Tableau Server URL to be what the browser needs to use. These settings can be found at Backend > Settings > Tableau > Tableau Server Settings > Connectivity tab. The Tableau Server URL setting is under the Primary Tableau Connection section, and the Alternate Tableau Server URL is under the Advanced section.
If the wall of text is confusing, here’s a diagram to help make it clearer:
In the rapidly evolving landscape of Analytics, it’s become paramount to give your users maximum flexibility while also delivering reliable and sophisticated insights. Today, this means spending a huge amount of effort to create complex dashboards that consider all the variety of ways someone might want to see your data – all in the pursuit of empowering people to make well-informed data-driven decisions.
