Solved: Problem with header authentication, AD groups and ... - Qlik Community

Anonymous · ‎2012-03-30

Hello everyone,

I am trying to setup a Qlikview 10 server with:

HTTP header authentication (in conjunction with a SSO system)
Active Directory integration for group resolution (with Directory Service Connector)
Section Access to restrict application usage to specific groups

My problem is that it does not work. As a user U, member of group G, I can open a Qlikview application if user U is listed in Section Access but i cannot open the same Qlikview application if the group G is listed in Section Access instead.

As the SSO system returns user names with no domain, we have configured the Qlikview Web Server to use header authentication with the AD domain as a prefix : "DOMAIN\". With this configuration, on the top right corner of the Accesspoint I can see a fully qualified user name : DOMAIN\USER instead of only USER.

In the Directory Service Connector logs we can also see that group resolution is working for the user DOMAIN\USER. And as a result, the list of applications shown in the Accesspoint is correct.

But when I try to open my application, Qlikview asks me for a USERID and PASSWORD...

Do you see an explanation for this to happen?

Best regards,

Damien

Anonymous · ‎2012-04-03

Hi Matt and many thanks for your answer.

I managed to make it work by changing the prefix as you suggested but I did not use "CUSTOM\"...

I simply changed "my_domain_name\" to "MY_DOMAIN_NAME\" and everything works like a charm now

Bye!

View solution in original post

Anonymous · ‎2012-04-02

Any help ? Suggestion ?

Bill_Britt · ‎2012-04-02

Asking for USERID and PASSWORD is section access. To pass your ID you need to configure your section access correctly.

Bill - Principal Technical Support Engineer at Qlik
To help users find verified answers, please don't forget to use the "Accept as Solution" button on any posts that helped you resolve your problem or question.

Anonymous · ‎2012-04-03

Hi Bill and thank you for answering.

Actually, my section access seems to be correctly configured but I use NTNAME instead of USERID and PASSWORD.

I use 2 QVW files for testing. One with Section Access like this:

LOAD * INLINE [
     ACCESS, NTNAME
     USER, my_domain\MY_USER_NAME
];

And a second one with Section Access like this:

LOAD * INLINE [
     ACCESS, NTNAME
     USER, MY_DOMAIN\MY_GROUP_NAME
];

These two files open nicely on local client (standard NT authentication) but only the first one opens when accessed through the server (with header authentication).

Damien

Report Inappropriate Content · ‎2012-04-03

Hi Damien

I think the problem migh be that you can't use your domain as a prefix to the username when using header authentication as QlikView will try validate the user against the AD which it can't because its simply receiving a username not pass through authentication. Try prefix the username with "CUSTOM\" instead which QlikView considers to be its own custom directory service.

Matt

Anonymous · ‎2012-04-03

Hi Matt and many thanks for your answer.

I managed to make it work by changing the prefix as you suggested but I did not use "CUSTOM\"...

I simply changed "my_domain_name\" to "MY_DOMAIN_NAME\" and everything works like a charm now

Bye!

Report Inappropriate Content · ‎2012-04-03

Ah yes, QV is a little funny about having domains, etc in uppercase. Glad it's working now!

Matt

Problem with header authentication, AD groups and section access