Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Peter_Cammaert
Partner - Champion III
Partner - Champion III

Is Section Access ignoring the domain part of NTNAME?

I am having this weird situation where QlikView Server is granting access to a user that resides in a different domain than the one specified by the NTNAME field.

Imagine a user in the original domain ABC has an NTNAME value in Section Access of ABC\BOB. That user has been moved to a new domain XYZ weeks ago, and since then is unable to log into the old domain in Windows. So everywhere in QlikView (CAL assignment, distributions etc.) this user is now known as XYZ\BOB. Printing =OSUser() in a text box on a sheet confirms his AD identity.

Unfortunately, NTNAME still specifies ABC\BOB which would in my opinion deny access to this document to user BOB. Not so... The user XYZ\BOB with NTNAME value ABC\BOB is still granted access to the document

Is Section Access ignoring the domain part when comparing NTNAME values to the logon ID as returned by the OS?

Note that Section Access is working (user XYZ\PHIL cannot get in: Access Denied) and NTNAME has an exact copy in a field in Section Application field for inspection. This field is also reduced to ABC\BOB by Data Reduction.

Peter

7 Replies
marcus_sommer

Hi Peter,

that sounds very strange and I could only think for silly questions like: Is strikt exclusion enabled? Is Session recovery enabled? Does a clearing from the browser-cache be helpful?

Which releases of QV and which client/browser are used?

- Marcus

Peter_Cammaert
Partner - Champion III
Partner - Champion III
Author

Hi Marcus, thanks for replying.

As to your questions (they're far from silly , on the contrary)

  • Yes, strict exclusion has been enabled. This is shown by the NTNAME field copy getting reduced to the ID of the current user. Only with the wrong domain.
  • Yes, Session recovery is enabled. However, if that would circumvent security, then we're in deep s**** trouble.
  • No, that doesn't help anything. Unfortunately, whatever external fixes we apply, the documents keep showing conflicting OSUser/NTNAME values.

We're using 11.20SR12 with the AJAX client in a variety of browsers (mainly IE and Chrome)

Peter

Colin-Albert

I suppose the question is whether the user is being authenticated against their NTNAME or SID?

If the authentication is by the user's SID, then changing the users domain does not change the SID, so authentication is still valid - this would explain why other users in the new domain do not access QlikView.

There is a post from a few years ago asking the question but with no response.

[10] Qlikview use AD Group Name or SID ?

marcus_sommer

Pure logically it doesn't make sense for section access to ignore the domain especially because with NTDOMAINSID and NTSID exists further methods to restrict an access. Therefore it could be a bug in this release or since release x.

Another thought is that the problem is caused from the way how qlik handled and transferred the information from the OS which performed the authentication: In short I think it's rather not a problem of autorization else the authentication.

- Marcus

Peter_Cammaert
Partner - Champion III
Partner - Champion III
Author

True Colin, and I can only find vague references in very old Qlik training material to what looks like a real string compare, not an SID translation. I guess they're not using the SID technique as the two domains are still active and all users reside in both domains. Makes it even more scary.

Peter

Colin-Albert

Hi Peter,

Are you able to extend the logic of the Section Access table to use the NTDOMAINSID to set the access permissions to the data.

NTDOMAINSID is available as a field in the Section Access table, but there is no function in QV to show the current user's SID. It looks like you will have to investigate with a tool like PSGetSID or powershell.

marcus_sommer

From the Introduction_to_Section_Access:

The NTDOMAINSID can be derived from the script, “Edit”->”Insert Domain SID”

The NTSID can be generated via free 3’rd party applications such as “Getsid.exe”.

- Marcus