Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
andy
Partner - Creator III
Partner - Creator III

Users with a WebTicket are asked for credentials but are let in if cancelled

Hi folks,

I'm into integrating Qlikview with an Linux-based Java webportal.

Running QV 11 SR2 with QVWS.

On server system-security tab in QMC:

     Anonymous users prohibited

     DMS authorization selected

On QVWS authentication-tab

     Always

     Ntlm

     Default login page

I have some Named CALs and some Session Cals as well as some Usage Cals.

Users log in to the portal and the MySQL-DB associated with the portal holds two tables, one for entities and one for groups as stated in the help of 'Configurable ODBC'  DSC

Not very documented is that the two tables/ views shall look like

entityid     name     descr     email

1               Gunnar     Gunnar     Gunnar@company1.com

2               user2     user1     user2@company1.com

3               group1   group1    

4               user3     user1     user3@company1.com

groupid     memberid

3                  1

3                  2

3                  4

Anyway that stuff seems to work since I'm able to distribute documets to the users in that table.

Then the Java-code on the Linux-machine asks for a WebTicket from the QV-server.

http://QvServer/QVAJAXZfc/GetWebTicket.aspx?cmd=<Global method='GetWebTicket'><UserId>TWT_test\Gunnar</UserId></Global>

The QVS then asks for the credentials of a user on the QV-windows server that is member of the Qlikview Administrators group.

That users credentials are passed in from the Java-code with the use of cURL

The response is a ticket:

<Global>

<_retval_>331+WjqpV2WLGgn1etnoLYLRQ4FvsqsAl7em8Muh</_retval_>

</Global>

That ticket is used in a URL to let the user in.

In my case I perform the above links in Chrome signing in with my standard user when asked so being a member of the "Qlikview Adminsitrators" group.

Then to avoid the browser sending my standard credentials behind the scene when using the link below I test this by using an incognito window in Chrome:

I can point the user with the WebTicket to the AccessPoint

http://QVServer/QVAJAXZfc/Authenticate.aspx?type=html&webticket=331+WjqpV2WLGgn1etnoLYLRQ4FvsqsAl7em8Muh&try=http://QVServer/qlikview/&back=http://www.yahoo.com

The user can see the QV-documents he is allowed to see on the server and in the upper right corner I can see "Welcome Gunnar"

BUT BUT BUT when he select a document a LOGIN-prompt is fired.

Now comes the funny thing. If I cancel the LOGIN-prompt the document will show up!

The LOGIN-prompt is also there if I point the URL directly to a document:

http://QVServer/QVAJAXZfc/Authenticate.aspx?type=html&webticket=331+WjqpV2WLGgn1etnoLYLRQ4FvsqsAl7em8Muh&try=http://QVServer/QVAJAXZfc/opendoc.htm?document=Development/QVSystemMonitor_v4.qvw&host=QVS@softhouse7&back=http://www.google.com

Any hints on what to do to get rid of the annoying useless LOGIN-prompt?

/Andy

17 Replies
Not applicable

Hi,

try to set the Login Addess in QVWS to "Alternate login page" and "Allow anonymous" in QVS, Regards.

Corrado

Not applicable

I have the same issue on my v11 sr2 machine:

I can see here with a few suggestions:

1. change to NTLM (it works!!)

2. upgrade from SR1 to SR2 (but we already in sr2)

3. QVWS to "Alternate login page" and "Allow anonymous" (Not work)

Although NTLM's method is work, we are not going to use any windows authentication. We even removed the AD directory service info. Don't know why NTLM still work.

Would somebody have another methods other than NTLM or somebody can let me know what NTLM authentication is doing?

Thanks

agigliotti
Partner - Champion
Partner - Champion

Hello,

I'm using version 11.20.11705.0 and I faced some problems using DSC Configurable ODBC for MS SQL database.

Can you tell me as you set the below parameters in "DSP Settings" window ?

- Entity name

- Data Source Name

- Conn db name

- Database backend

- Override connection string

beacuse I'm not sure about their meaning.

Many Thanks

Regards

andy
Partner - Creator III
Partner - Creator III
Author

Cache expiry in minutes

*

Conn db name

*

Data source name

*

Directory label

*

Entity name

*

Entity table db name

*

Groups table db name

*

Override connection string

*

Service timeout in seconds

*

Then in the DB-schema called twt (Conn db name above) there exists two views like this:

Directory label is just any nice name you like

qv_entity

----------------

id

entity_name

descr

email

For example

id          entity_name          descr          email

21          good-customer

22          bad-customer

10242          user36

10243          user37

101000          user8

   

qv_groups

-----------

id

memberid

groupid

for example

id          memberid          groupid

242          10242                    21

243          10243                    21

1000          101000                    22

user36 and user37 are then connected to the group good-customer and user8 to bad-customer

brgds

Andy

agigliotti
Partner - Champion
Partner - Champion

Hello Andy,

Thanks for your replay.

What does "Data source name" means ?

Actually I'm using "SQL Server" as driver name to connect to MS SQL database server while the system data source name is "XXX".

Many Thanks.

Regards

andy
Partner - Creator III
Partner - Creator III
Author

Hi,

That is the driver you are using.

To see some examples go to

http://www.connectionstrings.com/

Select your DB and if you scroll down you find examples with a 'Driver=' parameter.

You will find your actual string by going to Administrative Tools->Data Sources (ODBC) click on ADD and you have a list of your installed DB-drivers.

/Andy

agigliotti
Partner - Champion
Partner - Champion

Hi Andy,

So if I well understood it's not needed to create a new system data source name and therefore specify it in the DSP Settings !?

Is this right ?

Thanks and a have a nice day

Andrea

andy
Partner - Creator III
Partner - Creator III
Author

Hi,

I don't understand what you mean but there is no need to create any data source under Administrative Tools.

Actually what you are doing is that you are building a connection string by filling in the different boxes.

Under the hood I think the fields are just concatenated with some prefixes like Driver= to build up a connectionstring.

If you don't want to use the boxes you can define your own complete connection string in the 'Override connection string' field.

/Andy