4 Replies Latest reply: Oct 14, 2016 2:17 AM by anant dubey RSS

    qvs://... could not be opened by IE plugin; "Session stop reason: can't secure" with header authentication

    Magnus Holmgren

      QVS 11.20R5 and matching IE plugin; IIS 7.0; IE 11.


      Opening a document with the IE plugin from QV AccessPoint yields (after a while) the generic "qvp://full.domain.name/document.qvw?iis_authenticate=ABCDABCD...&tunneler=https://full.domain.name/Scripts/QVStunnel.dll?host=hostname could not be opened" kind of error message.


      The plugin leaves a hint in the IIS log in the form of the query string "host=hostname+Unable+to+receive+length+from+localhost:4774+(0!=4)+{0}" and the QVS event log says "Ticket created: Ticket (ABCDABCD...)" (matching the iis_athenticate parameter) followed by "Session stop reason: can't secure".


      What's special about this setup is that we're using "header" as authentication type with a custom header name; there's no user directory available (we're using federated authentication with Shibboleth and ADFS). Authorization is set to DMS. I tested adding a custom directory, containing my username, to no avail.


      Port 4747 is not open and we'd rather keep it that way; /Scripts/QVStunnel.dll?test tells me that the tunnel dll is functional. AjaxZfc works.


      Is there any technical documentation available as to how this iis_authenticate token works and what "cant't secure" might mean? I'm assuming that the token identifies and authenticates the user and that no further authentication takes place. Right? Could the problem be TLS related?


      Bonus question: I thought the point of "Always tunnel" was to tell AccessPoint to tell the plugin not to try port 4747, but it does anyway. What is the point then?