Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Live today at 11 AM ET. Get your questions about Qlik Connect answered, or just listen in. SIGN UP NOW
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2016-08-22 11:18 AM

Ticket API authentication getting 403 Forbidden

Hi,

We're trying to authenticate users through the ticket API and we're getting a 403 Forbidden error. I'm really not sure where exactly might be the issue, if it's caused by Qlik not finding the user or something else.

Where can I find more information on how to fix this issue?

Here's the POST we're sending (redacted the private information).

POST https://***:4243/qps/tst/ticket?Xrfkey=0123456789abcdef




HEADERS:


X-Qlik-Xrfkey: 0123456789abcdef


Content-Type: application/json




BODY:


{


  "UserDirectory": "MyDirectory",


  "UserId": "myUser",


  "CertificateLocation": 2,


  "CertificateName": "***",


  "TargetId": "6ee5fc59-8a92-481a-8108-0a4748a281a8",


  "Attributes": []


}

Here's the response we're getting.

The remote server returned an error: (403) Forbidden.

18,362 Views
0 Likes
1 Solution

Accepted Solutions
Not applicable
‎2016-08-29 10:51 AM
Author

In response to

OK, So I figured-out what was going on after 2 days of research. I'll give here how I managed to figure out the issue and fix it.

So, first thing the error was returned by the call to the HttpWebRequest's GetRequestStream() method. It was therefore not really linked to an issue with Qlik but to a ASP.net issue.

I've activated the logging for System.Net by adding this configuration to the web.config of my web app.

<system.diagnostics>
  <trace autoflush="true" />
  <sources>
  <source name="System.Net">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  <source name="System.Net.Sockets">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  <source name="System.Net.Cache">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  </sources>
  <sharedListeners>
  <add
  name="System.Net"
  type="System.Diagnostics.TextWriterTraceListener"
  initializeData="System.Net.trace.log"
  />
  </sharedListeners>
  <switches>
  <add name="System.Net" value="Verbose" />
  <add name="System.Net.Sockets" value="Verbose" />
  <add name="System.Net.Cache" value="Verbose" />
  </switches>



</system.diagnostics>

This allowed me to get the real underlying issue which was : AcquireCredentialsHandle() failed with error 0X8009030D


After a little bit of Googling, I figured out that the issue was linked to the application pool in which my web app was running didn't have access to the private key of the QlikClient certificate. This is quite easy to fix.


First, you need to get to the certificate store

  • Open the certificates MMC.
    • Open MMC
    • Click File –> Add/Remove Snap-in…
    • Choose Certificates and click Add
    • Select Computer Account and click Finish

Then, right-click the QlikClient certificate in the certificate store and choose "All tasks -> Manage private keys.

You should have a "Windows" permission showing, you need to add the user that is running your application pool. So if your application pool is called "TestAppPool", you should add the user "IIS AppPool\TestAppPool". You can give this user only "Read" permissions and it should work.

View solution in original post

1 user say ditto
13,858 Views
4 Replies
Alexander_Thor
Employee
Employee
‎2016-08-23 03:09 PM

CertificateLocation and CertificateName in the body is not needed.

Are you signing your request with the exported certificates from Qlik Sense?

The 403 indicates that your request is not allowed, the user does not have to exist in Sense. Since you sign the request with the export certificates from Qlik Sense we will trust you and create whatever user you send in.

13,846 Views
0 Likes
Not applicable
‎2016-08-24 11:20 AM
Author

Hi Alexander,

Thanks for your help. I indeed was confused by what certificate to use to create the connection. I managed to go past the first error, but now get another error:

The request was aborted: Could not create SSL/TLS secure channel.

It's probably still linked to that certificate issue. Here's what I did to create and configure the certificate:

  1. I went to the QMC and in the certificate tab
  2. Clicked on the "Add machine name" and added the IP Address of my "client" server (should it be the public or private IP? Is it important? Should I put something else? Both machines are not on the same network / domain)
  3. Added a certificate password, did not include the secret key and exported it to the Windows format
  4. Clicked on export certificates
  5. Took the root and client certificates from the Qlik folder and copied them to my "client" server
  6. Installed both the root and client certificates on the server's "local machine" certificate directory

I'm then using this open source project GitHub - braathen/qlik-auth-net: ASP.NET module for simplifying custom authentication with Qlik Sens... to test. It seem to correctly sign the request using the client certificate, so I'm not really sure why I get the error message.

Could it be a configuration issue on Qlik's side?

Thanks

13,846 Views
0 Likes
Not applicable
‎2016-08-24 11:22 AM
Author

In response to Alexander_Thor

Sorry, I didn't answer to you directly, could you check my message other message in the thread?

13,846 Views
0 Likes
Not applicable
‎2016-08-29 10:51 AM
Author

In response to

OK, So I figured-out what was going on after 2 days of research. I'll give here how I managed to figure out the issue and fix it.

So, first thing the error was returned by the call to the HttpWebRequest's GetRequestStream() method. It was therefore not really linked to an issue with Qlik but to a ASP.net issue.

I've activated the logging for System.Net by adding this configuration to the web.config of my web app.

<system.diagnostics>
  <trace autoflush="true" />
  <sources>
  <source name="System.Net">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  <source name="System.Net.Sockets">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  <source name="System.Net.Cache">
  <listeners>
  <add name="System.Net" />
  </listeners>
  </source>
  </sources>
  <sharedListeners>
  <add
  name="System.Net"
  type="System.Diagnostics.TextWriterTraceListener"
  initializeData="System.Net.trace.log"
  />
  </sharedListeners>
  <switches>
  <add name="System.Net" value="Verbose" />
  <add name="System.Net.Sockets" value="Verbose" />
  <add name="System.Net.Cache" value="Verbose" />
  </switches>



</system.diagnostics>

This allowed me to get the real underlying issue which was : AcquireCredentialsHandle() failed with error 0X8009030D


After a little bit of Googling, I figured out that the issue was linked to the application pool in which my web app was running didn't have access to the private key of the QlikClient certificate. This is quite easy to fix.


First, you need to get to the certificate store

  • Open the certificates MMC.
    • Open MMC
    • Click File –> Add/Remove Snap-in…
    • Choose Certificates and click Add
    • Select Computer Account and click Finish

Then, right-click the QlikClient certificate in the certificate store and choose "All tasks -> Manage private keys.

You should have a "Windows" permission showing, you need to add the user that is running your application pool. So if your application pool is called "TestAppPool", you should add the user "IIS AppPool\TestAppPool". You can give this user only "Read" permissions and it should work.

1 user say ditto
13,859 Views