AD user accounts not displaying in Qlik Data Catalyst Security module

steffan_holmquist — Tue, 07 Dec 2021 22:35:04 GMT

From the Security module >> Manager Users screen, I do not see any of the AD users listed - only the users that I created locally before my AD integration. (screen shots attached)

I have successfully linked Active Directory; test connection was successful.

Synchronization was successful (screen shots attached)

An AD user can successfully log into Data Catalyst.

Re: AD user accounts not displaying in Qlik Data Catalyst Security module

ThiebaudS — Wed, 13 Nov 2019 19:18:08 GMT

Hi Steffan,

In my case the AD configuration is OK, I can synchronize too, I can see the users in the security module, but the users are not able to connect to QDC using their AD account...

I have the following error in the logs:

Kerberos authentication for user 'datacatalyst@xxxxxxx.local' failed: Generic error (description in e-text) (60) - Unable to locate KDC for realm xxxxxxxx.LOCAL [KerberosAuthenticationProvider[http-bio-8080-exec-312]]

I don't really understand why...

Can you please tell me what documentation you've followed to setup Active Directory ?

Hopefully we will get it fixed for both of us if we share our configs.

Can you please tell me what do you have in the "Authentication" section of the core_env.properties file ?

I have the following:

################################## ### Authentication ### ################################## # Authentication modes (case-insensitive): PODIUM, KERBEROS, SAML. # This is for authenticating access to the Podium server (UI or API). Default: PODIUM authentication.mode=PODIUM # Valid values are: ORACLE or IBM. If using ORACLE and Kerberos authentication, # java.security.krb5.realm and java.security.krb5.kdc must be specified. Default: ORACLE #jdk.version.spec=ORACLE # If the Podium server is Kerberized, it will have a configuration file like /etc/krb5.conf, which # contains the necessary realm-to-KDC mappings. If the server is not Kerberized, then the realm # and KDC are set by using both of the following Java system properties, passed to Tomcat at # startup (e.g., in setenv.sh): # -Djava.security.krb5.realm=YOUR_REALM.COM # -Djava.security.krb5.kdc=your.kdc.com # Kerberos realm / Active Directory domain name. This is appended to the username entered into # the login page. For legacy reasons, it is the same name as the Java system property above. #java.security.krb5.realm=TOYSTORY.REALM # See the following for more information: # https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html # Regular expression, used in both KERBEROS and SAML authentication, to enable cross realm # authentication. If the login name matches this pattern, it will be left unmodified. If it does # not match this pattern, the realm / domain name above will be used. Change "ANOTHER_REALM" in the # example to the alternative realm name. This property assumes that it is the same user logging # into both realms. For example, users jsmith@company.com and jsmith@company.overseas.com both # represent the same user, and this company has been setup with multiple pseudo- # independent realms/domains. # Also, Hadoop impersonation does not accept fully qualified actor names of the format # jsmith@company.com. Instead, it only accepts the simple user name jsmith. The regular expression # below is also used to extract the actor name jsmith (first matcher group) from the fully # qualified user name. Therefore, if using fully qualified user names to log into Podium, # uncomment this property or else impersonation will fail. #another.realm.username.pattern=^([A-Za-z0-9]+)([._-]([0-9A-Za-z_-]+))*@([A-Za-z0-9]+)([.]([0-9A-Za-z]+))*([.]([A-Za-z0-9]+){2,4})$ # Enable detailed Kerberos logging. Setting this property to false is recommended to prevent the # user password from getting logged. Default: false. #debug=false # The SAML metadata provider can be an HTTP provider or an XML file in the classpath # (e.g., /metadata/okta.xml) #saml.metadata.provider=https://dev-519244.oktapreview.com/app/exk7y30wlbho83ej70h7/sso/saml/metadata #saml.entity.id=entity.sid.ad.podiumdata.net #saml.entity.baseurl= #saml.logout.url= #saml.keystore.path=/saml/samlKeystore.jks

Do you also have something about Kerberos in the logs when a user tries to connect ?

Thanks

Best regards,

Thiebaud

Re: AD user accounts not displaying in Qlik Data Catalyst Security module

steffan_holmquist — Thu, 14 Nov 2019 19:09:44 GMT

AD user accounts display when your role is SuperUser.

Only one account is assigned the role of SuperUser - the default Podium account that is present upon installation.

Re: AD user accounts not displaying in Qlik Data Catalyst Security module

steffan_holmquist — Thu, 14 Nov 2019 19:08:05 GMT

My entire Authentication section is commented out with the exception of one line. Excerpt below:

# Kerberos realm / Active Directory domain name. This is appended to the username entered into
# the login page. For legacy reasons, it is the same name as the Java system property above.
java.security.krb5.realm=TOYSTORY.REALM

# See the following for more information:
# https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html

# Regular exp

Re: AD user accounts not displaying in Qlik Data Catalyst Security module

makunii — Mon, 18 Jan 2021 15:26:36 GMT

Hi Steffan,

Please, show me the "cat" command result.

(root) cat /etc/krb5.conf.

Thank you.

Regards,

Marco

topic Re: AD user accounts not displaying in Qlik Data Catalyst Security module in Catalog and Lineage

AD user accounts not displaying in Qlik Data Catalyst Security module

Re: AD user accounts not displaying in Qlik Data Catalyst Security module

Re: AD user accounts not displaying in Qlik Data Catalyst Security module

Re: AD user accounts not displaying in Qlik Data Catalyst Security module

Re: AD user accounts not displaying in Qlik Data Catalyst Security module