Some customers want to be absolutely certain who is accessing their content by enforcing Two Factor Authentication (2FA), requiring users to login using multiple mechanisms sequentially, for example, a Username, Password and a dynamically generated Authentication Token (eg Google Authenticator or RSA SecurID).
Some customers are content with integrating their multiple applications to the same User Repository so that the users use the same credentials for entry to all their secured applications.
Many customers want to simplify the User Experience by performing authentication without any User Interaction. The applications seem to "know" who the user is. This document describes how to leverage Kerberos to perform Windows Integrated Authentication into Qlik Sense from Windows and Mobile browsers.
|AD||Active Directory. This Microsoft product is widely used by Enterprises and delivers many services such as LDAP, KDC, Domain Controller. Users and Computers are registered into the Active Directory, and many customers want to leverage this single repository of identities for authentication (who are you) and authorization (what are you permitted) within their corporate applications.|
Lightweight Directory Access Protocol, operates on 389/tcp or the SSL version LDAPS operates on 636/tcp.
Provides a way to validate credentials and lookup user properties such as displayName, emailAddress, group membership.
Qlik will typically be configured to interact with Active Directory's LDAP interface from the User Directory Connector (UDC) component.
|FQDN||Fully Qualified Domain Name. If your machine is called "myserver" then it's FQDN might be "myserver.example.com"|
|KDC||Kerberos Distribution Center, accessed using 88/tcp. This is the component that issues tokens to the client for access to various services that require authentication. A Kerberos Realm serves a similar function to a Windows Domain but looks more like an uppercase Email Address|
|UPN||A Kerberos User Principal Name. If your Active Directory domain identity is EXAMPLE\someone then your corresponding UPN is probably someone@EXAMPLE.COM|
Each service that you may authenticate to using Kerberos requires a Service Principal Name associated with it. This is formed from a Service Identifier that is usually uppercase, the fully qualified address of that service and any non-default ports, and optionally the Kerberos Realm, eg
|TGT||A Kerberos Ticket Granting Ticket is the token of identity that is established in your Kerberos Ticket Cache after successful authentication. This represents your identity and is used when requesting a Service Ticket for any Kerberos-enabled service that you access.|
How it works
When you've logged into your Domain-member laptop, a token of your identity is retained within Windows which local applications can use to determine who you are. Qlik Sense is accessed using a browser, and the Qlik Sense Hub does not know who you are unless you (explicitly) or your browser (implicitly) tells Qlik Sense who you are.
While logging into Windows, your credentials are validated against the Active Directory, and a Kerberos Ticket Granting Ticket (TGT) is delivered into the Kerberos Ticket Cache on your machine. That TGT will remain valid for approximately 8 hours and may be renewed automatically if you have a long day. You could also manually establish a TGT using the KINIT.exe command-line tool, which will validate the supplied username and password against the Active Directory (using the ldap/389 or ldaps/636 protocols) before delivering your TGT (kdc/88).
When your Kerberos-enabled browser attempts to connect to a website that expects Kerberos authentication (401 HTTP Response), the browser uses the Kerberos APIs and your TGT to ask the Kerberos Distribution Center (KDC) for a Service Ticket for that website. The Service Ticket will contain your encrypted identity and is stored in your Kerberos Ticket Cache. The browser delivers this to the website in response to its authentication challenge, and the website decrypts the Service Ticket to determine who you are. You're logged in!
Enabling Kerberos Authentication into Qlik Sense requires that Kerberos Service Principal Names have been created that associate the Qlik Authentication URL with the domain service account that the Qlik Sense Proxy (QPS) service is running as. If you access Qlik Sense at https://sense.example.com and your QPS is running as EXAMPLE\qlik then you need to create these SPNs:
Create Service Principal Names
SETSPN.exe -U -S HTTP/sense.example.com EXAMPLE\qlik
SETSPN.exe -U -S HTTP/sense.example.com:4244 EXAMPLE\qlik
SETSPN.exe -U -S HTTP/sense.example.com:4248 EXAMPLE\qlik
The table below lists the HTTP User Agent for several browsers on Windows, iOS, and Android. Kerberos (or NTLM) Single SignOn will only be attempted if the User Agent that the browser presents (invisible to the user) contains the string shown in the Windows authentication pattern property of the Virtual Proxy.
|Browser/Platform||HTTP User Agent|
|Chrome/Windows||Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36|
|Firefox/Windows||Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0|
|IE11/Windows||Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko|
|Safari/iOS||Mozilla/5.0 (iPad; CPU OS_11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1|
|Chrome/iOS||Mozilla/5.0 (iPad; CPU OS_11_3 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/65.0.3325.152 Mobile/15E5216a Safari/604.1|
|BlackBerry Access/iOS||Mozilla/5.0 (iPad; CPU OS_11_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E5216a Safari/605.1.15 GoodAccess/22.214.171.1240|
|Qlik Sense Mobile/iOS||Mozilla/5.0 (iPad; CPU OS 11_3 like Mac OS X) AppleWebKit/604.4.7 (KHTML, like Gecko) Mobile/15C114|
|Chrome/Android||Mozilla/5.0 (Linux; Android 8.0.0; SM-G950F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.109 Mobile Safari/537.36|
|BlackBerry Access/Android||Mozilla/5.0 (Linux; Android 8.0.0; SM-G950F Build/R16NW) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3025.4 Mobile Safari/537.36 GoodAccess/126.96.36.1990|
The default value Windows matches only a subset of the possible browsers that may access Qlik Sense so many would not be able to achieve Kerberos Single SignOn even if they are capable of it. Qlik suggests modifying this to Mozilla, but also recommends first creating an additional Virtual Proxy which accepts Forms authentication (Windows authentication pattern = Forms) as an alternate/fallback way to access the Qlik Management Console.
Here, rather than modifying the Default Virtual Proxy, we've created a Virtual Proxy specifically for testing this integration:
Then enable Kerberos authentication in the properties of the Proxy.
It may surprise, but yes even though your iPad is not a member of your Windows Domain, it can be configured to perform Kerberos authentication. You'd be periodically asked to enter your Domain Password to reestablish a TGT, but a list of Apps can be configured to use your TGT to request a Service Ticket for a collection of URLs and perform Kerberos Authentication into those sites without any further User Interaction.
Inspect kerberos.mobileconfig XML file below. This can be delivered to an iOS device as an Email Attachment, and when opened, it will configure the device to enable Kerberos Authentication from specific applications to specific websites. The example below is configured to support Safari, Chrome and experimentally a few other applications.
When you open this as an attachment in the iOS Mail client, you’re prompted to install it, and eventually asked for your Principal Name. Enter only your Domain UserID. This is combined with the Realm to form the identity that will be used for all subsequent Kerberos interactions, and corresponds with the userPrincipalName in Active Directory. If you want to view or delete this profile from iOS, you’ll find it at the bottom of the General section of the Settings application.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<key>PayloadIdentifier</key> <string>com.example.sso.test.kerberos</string> <!-- Change This -->
<key>PayloadUUID</key> <string>d86b6548-5300-460e-89e1-31e19034982d</string> <!-- Change This -->
<key>PayloadDisplayName</key> <string>SSO profile for yourCompany</string> <!-- Change This -->
<key>PayloadDescription</key> <string>Configures Kerberos Single Sign On</string>
<key>Name</key> <string>Kerberos Config</string>
<key>Realm</key> <string>EXAMPLE.COM</string> <!-- Change This -->
<string>com.apple.mobilesafari</string> <!-- Safari -->
<string>com.google.chrome.ios</string> <!-- Chrome -->
<string>com.opera.OperaMini</string> <!-- Opera Mini -->
<string>com.dolphin.browser.iphone</string> <!-- Dolphin -->
<string>com.initlabs.webview</string> <!-- WebView -->
<string>com.microsoft.msedge</string> <!-- Microsoft Edge Browser -->
<string>com.airwatch.secure.browser</string> <!-- VMware Browser -->
<string>com.mobileiron.securebrowser</string> <!-- MobileIron web@work -->
<string>com.good.gdgma</string> <!-- BlackBerry Access -->
<string>com.qlikview.QlikView</string> <!-- QlikView Mobile -->
<string>com.qlikview.gd.qlikview</string> <!-- QlikView for Good -->
<string>com.qlik.qliksense.mobile</string> <!-- Qlik Sense Mobile -->
<key>PayloadDescription</key> <string>Sets up Safari and other Apps to use Kerberos SSO for certain URLs</string>
<key>PayloadIdentifier</key> <string>com.example.ssoconfig</string> <!-- Change This -->
<key>PayloadOrganization</key> <string>yourCompany</string> <!-- Change This -->
<key>PayloadUUID</key> <string>30EA9E5A-E570-462F-8027-75D1BC136ADA</string> <!-- Change This -->
Customers who choose to follow this approach should modify the Kerberos Realm, update the list of Kerberos-enabled URLs, and should really update several of the Payload properties and UUIDs. This approach and guidance is supported by Apple, not Qlik!
- Configuration Profile Reference
- Sam’s Tech Notes (guidance to creating “Kerberos.mobileconfig”)
Kerberos Constrained Delegation
The approach described above is applicable only to iOS devices, requires the user to occasionally re-enter their password (to refresh the TGT) and requires traffic (88/tcp) between the mobile device and the Kerberos Distribution Center, and manages the Kerberos Ticket Cache on the device itself.
An alternative is available which enables more device types, does not require the user to enter any credentials, eliminates client traffic to the KDC, and manages the Kerberos Ticket Cache on a "man in the middle". This is called Kerberos Constrained Delegation and is available with many VPN products.
An SSL Client Certificate would be deployed to the mobile device using an Enterprise Mobility Management tool and used for Device Authentication from the VPN Client to the VPN Gateway. The VPN Gateway can determine the User's Identity from the SSL Client Certificate, and (with elevated rights in Active Directory) request Kerberos Service Tickets on the user's behalf. The Kerberos Ticket Cache is managed on/near the VPN Gateway server.
The VPN Gateway is probably running on a Linux host without a Domain relationship with the Active Directory. It will operate using a Kerberos KeyTab that represents an identity in the Active Directory, and THAT identity must be granted Constrained Delegation Rights (permission) to request Service Tickets for specific destinations (Service Principal Names) on behalf of the end users.
The Qlik requirements for this approach remain the same as above. The integration is performed within the EMM-managed VPN/Connectivity product, and customers are advised to seek guidance from their EMM vendor.
- BlackBerry Dynamics
- VMware Workspace ONE (AirWatch)
- Azure AD Application Proxy
A WebClip is the Mobile version of placing a shortcut on your Windows Desktop.
In combination with Kerberos Single SignOn it's a very appealing way for online users to navigate directly to a Qlik Sense Dashboard without any further User Interaction.
A WebClip is normally created using the EMM Suite, contains a URL, an Icon, and optional properties such as whether the user can delete it themselves, and if the URL should be opened in FullScreen/Kiosk mode.
This is further described at Configure a shortcut to a specific Dashboard