Kerberos support using QlikView Webserver

Sonja_Bauernfeind — Wed, 28 Aug 2024 11:40:09 GMT

Authentication between web clients and QlikView Webserver will by default be performed using NTLM.

To allow Kerberos authentication between clients and the web server, the authentication scheme for QlikView Webserver must be changed. In addition, required Service Principal Names (SPNs) must be registered on the service account running QlikView Webserver.

Kerberos is not supported for the QlikView Management Console

Environment

QlikView

Resolution

Changing authentication scheme for QlikView Webserver

Locate the file config.xml in %ProgramData%\QlikTech\WebServer
Open config.xml for edit
Locate the HttpAuthentication section for the file Authenticate.aspx in config.xml

Change the scheme from "NTLM" to "Negotiate"

Before:

<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="NTLM" />

After:

<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="Negotiate" />

Save the config.xml file

Register Service Principal Names on service account running QlikView Webserver

The following will require appropriate permissions in Active Directory to add Service Principal Names on the account running QlikView Webserver.

A Service Principal Name may be registered using the following command:

setspn -A http/HOST serviceaccount

Where:

HOST is the name of the server hosting the QlikView Webserver
serviceaccount is the account running the QlikView Webserver

Note: If running Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 it is recommended to instead use the following syntax:

setspn -U -S http/HOST serviceaccount

For more information see: http://technet.microsoft.com/en-us/library/cc731241.aspx

Two Service Principal Names must be registered on the service account, one using the NETBIOS name of the computer hosting QlikView Webserver and one using the Fully Qualified Name of the server.

In this example the NETBIOS name of the server hosting QlikView Webserver is "qvs1", the Fully Qualified Name is "qvs1.companyx.local" and the account used by QlikView Webserver is "COMPANYX\qvssvc".

Open a command prompt with administrative privileges and type

Windows Server 2003
setspn -A "http/qvs1" "COMPANYX\qvssvc" setspn -A "http/qvs1.companyx.local" "COMPANYX\qvssvc"

Windows Server 2008 / R2 and Windows Server 2012
setspn -U -S "http/qvs1 COMPANYX\qvssvc" setspn -U -S "http/qvs1.companyx.local" "COMPANYX\qvssvc"
Restart the QlikView Webserver after successfully registering the Service Principal Names

For more information about Service Principal Names see: http://technet.microsoft.com/en-us/library/cc961723.aspx

Re: Kerberos support using QlikView Webserver

Wilmar — Mon, 19 Feb 2024 17:25:28 GMT

Hi @Sonja_Bauernfeind,

Thank you for this technote. With you suggestions we were able to update our Qlikview environment to use Kerberos.

But as soon as we update something through the maintenance page, the config.xml gets overwritten . And since there is no Negotiate/Kerberos option available in the maintenance page, the manually changed Negotiate option in the config.xml is lost.

Do you have any suggestions on how to by-pass this behavior?

Re: Kerberos support using QlikView Webserver

Sonja_Bauernfeind — Tue, 20 Feb 2024 13:04:13 GMT

Hello @Wilmar

I am not aware of a method to bypass this. I would recommend logging a case (though I think this will likely end as an idea that should be posted in our ideas section).

All the best,
Sonja

article Kerberos support using QlikView Webserver in Official Support Articles

Kerberos support using QlikView Webserver

Environment

Resolution

Changing authentication scheme for QlikView Webserver

Register Service Principal Names on service account running QlikView Webserver

Re: Kerberos support using QlikView Webserver

Re: Kerberos support using QlikView Webserver