Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Not applicable
‎2015-11-13 06:06 AM

How to disable automatically adding users when trying to logon

We run a Qlik Sense server (v2.1.1) on a machine in our domain, and on a machine in a workgroup connected to the internet.

I've configured the authentications of these machines to the 'Windows authentication pattern': form (instead of the default Windows).

The problem is, whenever anybody is trying to logon on the HUB, even when the user does not exists, the typed in user is added to the users in Qlik Sense. Because one of the servers is available to the internet, we really want to disable this feature. If the user is not allowed, I do not want that user in Qlik Sense as a user...

How to disable this automatically adding of users?

2,920 Views
0 Likes
11 Replies
lhr
Employee
Employee
‎2015-11-27 09:47 AM

hello,

do you mean that the users get added even if the authentication fails (i.e., login credentials are not valid)?

cheers,

lars

1,697 Views
0 Likes
Gysbert_Wassenaar
MVP
MVP
‎2015-11-27 09:51 AM

The user will be added, but it will not have any access just because he/she contacted the hub. Qlik Sense does not add any authorization. You have to assign authorizations to users in the QMC. Qlik Sense also does not authenticate a user. So if that user does not exists in your authentication system (for example Active Directory) or presents incorrect credentials then the user will not get access. Only when your authentication system succesfully authenticates the user and you've provided authorizations for that user can that user access anything.


talk is cheap, supply exceeds demand
1,699 Views
0 Likes
Not applicable
‎2015-11-27 10:28 AM
Author

In response to lhr

Yes, whatever you type into the logon page.

For example: try to logon with username 'bazinga\sheldon' with password 'knock3x'

Will result in an extra user in Qlik Sense with User directory 'Bazinga' and userid 'sheldon'.

Even if there is no userdirectory with that name, and no exisisting user.

The problem is, if you make a mistake in your domain name and/or user name, there will be a new user.

1,699 Views
0 Likes
Not applicable
‎2015-11-27 10:32 AM
Author

In response to Gysbert_Wassenaar

I know you're right, but as I stated in the reply above, one little mistake when trying to logon as a valid user, will result in a user (indeed with no rights) in the system.

Our Qlik Sense server is connected to the internet, thus, everyone who wants to bully our company will try to spam us with wrong user names and passwords so our Qlik Sense server will be containing thousants of users....

1,699 Views
0 Likes
Gysbert_Wassenaar
MVP
MVP
‎2015-11-27 10:44 AM

In response to

And they will all be stored in a database where you won't have any bother from them. It's very unlikely you'll ever notice a performance degration from that. But if you're worried about a denial of service attack then you should use an authenticating proxy in front of your Qlik Sense server. Random users overloading your Qlik Sense Proxy with connections is a bigger problem then the amount of usernames stored in the Repository,


talk is cheap, supply exceeds demand
1,699 Views
0 Likes
lhr
Employee
Employee
‎2015-11-30 03:29 AM

In response to

hello,

to answer your question -- there is no way to disable adding users. but that being said, they should not be added if the authentication fails. I will investigate further.

thanks!

1,699 Views
0 Likes
lhr
Employee
Employee
‎2015-11-30 04:53 AM

In response to lhr

hello,

we tried qlik sense 2.1.1 with forms authentication but could not see the user that failed authentication in the QMC. is there any more information you could provide?

thanks!

1,699 Views
0 Likes
Gysbert_Wassenaar
MVP
MVP
‎2015-11-30 05:07 AM

In response to lhr

Hi Lars,

This effect is mentioned in the Administer and Maintain Qlik Sense training manual:

4.1.1 Users and licenses

Before anyone can use Qlik Sense, they must be added to the system and licensed. There are two ways that users are added to Qlik Sense Enterprise.

  • Local Security Layer—Any user already in the operating system’s security layer (Local User Directory or Active Directory, for example) who tries to connect to Qlik Sense is added to the user directory. Those users are not granted access to any resources until they are licensed, but they appear in the user directory.
  • Directory Sync—After a User Directory Connector (UDC) is configured, users from that directory can be added or synchronized into Qlik Sense. Those users are not granted access to any resources until they are licensed, but they appear in the user directory.

The first method for adding users into Qlik Sense Enterprise is to have a user attempt to log in using the usual login credentials. By doing so, they are not granted access to Qlik Sense (because they do not yet have a license), but they are recorded in the user list.

The training actually makes use of this feature to add the first user to the training environment.

Note, if I'm not allowed to quote from the training manual please remove this post.


talk is cheap, supply exceeds demand
1,699 Views
0 Likes
lhr
Employee
Employee
‎2015-11-30 05:32 AM

In response to Gysbert_Wassenaar

hello Gysbert,

the problem that Dennis is seeing is that users are added to qlik sense even if they fail to authenticate. what the training manual says is that authenticated users are added, even though they are not authorized to access the system.

cheers,

lars

1,699 Views
0 Likes