Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
millnet-maho
Partner - Contributor III
Partner - Contributor III

qvs://... could not be opened by IE plugin; "Session stop reason: can't secure" with header authentication

QVS 11.20R5 and matching IE plugin; IIS 7.0; IE 11.

Opening a document with the IE plugin from QV AccessPoint yields (after a while) the generic "qvp://full.domain.name/document.qvw?iis_authenticate=ABCDABCD...&tunneler=https://full.domain.name/Scripts/QVStunnel.dll?host=hostname could not be opened" kind of error message.

The plugin leaves a hint in the IIS log in the form of the query string "host=hostname+Unable+to+receive+length+from+localhost:4774+(0!=4)+{0}" and the QVS event log says "Ticket created: Ticket (ABCDABCD...)" (matching the iis_athenticate parameter) followed by "Session stop reason: can't secure".

What's special about this setup is that we're using "header" as authentication type with a custom header name; there's no user directory available (we're using federated authentication with Shibboleth and ADFS). Authorization is set to DMS. I tested adding a custom directory, containing my username, to no avail.

Port 4747 is not open and we'd rather keep it that way; /Scripts/QVStunnel.dll?test tells me that the tunnel dll is functional. AjaxZfc works.

Is there any technical documentation available as to how this iis_authenticate token works and what "cant't secure" might mean? I'm assuming that the token identifies and authenticates the user and that no further authentication takes place. Right? Could the problem be TLS related?

Bonus question: I thought the point of "Always tunnel" was to tell AccessPoint to tell the plugin not to try port 4747, but it does anyway. What is the point then?

4 Replies
Not applicable

Hi everyone.

Today, i pass the same problem.

So, i can resolved desable the security in the internet option, the Internet and Local Intranet.

Is my tip.

Hugs.

Bill_Britt
Former Employee
Former Employee

Hi,

If you are going to block port 4747, it has to tunnel. I would use the attached document to make sure you have correctly setup tunneling.

Bill

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.
Not applicable

Hi Bill,

no problem with port 4747. This case is only one user, using IE 11. In other computer using IE10, the same user don´t have problem with qvw.

So, i disable the security the IE and problem is solved.

You understand?

Hugs.

Anonymous
Not applicable

Hi Paulo,

What is the exact steps you did in Security setting in IE browser,

actually my problem is same you resolved all the other user can access dashboard but one

particular user is having this IIS authenticate /tunnel  problem.

Can you please let me know exact steps to disable security in browser of IE 11

Thanks

Anant