Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
azimuthbrett
Partner - Contributor II
Partner - Contributor II
‎2016-09-22 11:27 AM

Configure User Directory to Azure LDAP

We've set up Qlik Sense on a server, and are experimenting with trying to configure it to connect to Azure Active Directory. We followed all of the instructions in the Azure article "Configure Secure LDAP for an Azure AD Domain Services Managed Domain" (Configure Secure LDAP (LDAPS) in Azure AD Domain Services | Microsoft Azure). We've got an AD setup on Azure, and we created a wildcard certificate with a Certificate Authority (GoDaddy). So with a domain for the company of 'example.com', the wildcard cert is '*.example.com'. We exported this certificate from the Qlik Sense server per the instructions in the Azure article, loaded it into the Domain Services configuration panel on Azure, and received an IP address for LDAPS.

We then configured DNS A record so that the subdomain ('ldap.example.com') points to this IP address. When we run a scan on the IP and the DNS alias at MXtoolbox.com we get a valid scan showing the IP address is there, with only port 443 open (https).

Now over to Sense:  in the QMC -> User Directory Connector, we can't manage to figure out how to connect to the LDAP server. Do we need to set up a virtual proxy to bind the certificate?

Typical log entries:

4120160922T064554.973-0700INFOdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory10709c1532a-ef60-429b-a182-e9c6cc279af1NT AUTHORITY\SYSTEMLooking up RootDSE: LDAP://ldap.example.com:443/RootDSE09c1532a-ef60-429b-a182-e9c6cc279af1
4220160922T064555.038-0700ERRORdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory107c7e246ce-b5a1-411e-a895-6673bda08f91NT AUTHORITY\SYSTEMFetching directoryentry LDAP://ldap.example.com:443/RootDSE failed: The directory service is unavailable.↵↓c7e246ce-b5a1-411e-a895-6673bda08f91
4320160922T064555.038-0700ERRORdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory107ac0c1648-b9d9-4174-8020-8cc654beaf1dNT AUTHORITY\SYSTEMException while initializing ldap://ldap.example.com:443: Setting up connection to LDAP root node failed. Check log file.ac0c1648-b9d9-4174-8020-8cc654beaf1d
4420160922T064555.038-0700WARNdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory107414351f5-62d9-4f41-bd8c-bffd56948887NT AUTHORITY\SYSTEMSetup of ActiveDirectory UDC not successful: Setting up connection to LDAP root node failed. Check log file.414351f5-62d9-4f41-bd8c-bffd56948887
4520160922T064555.038-0700WARNdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory33ffc751e2-16d6-4fb0-bd5d-dbf01404171cNT AUTHORITY\SYSTEMSetting up UDC of type Repository.UserDirectoryConnectors.LDAP.ActiveDirectory unsuccessfulSetting up connection to LDAP root node failed. Check log file.↵↓Server stack trace: ↵↓   at Repository.UserDirectoryConnectors.LDAP.LDAPRoot.FindEntry(String path, GenericLDAP ldap)↵↓   at Repository.UserDirectoryConnectors.LDAP.ActiveDirectory.FindRoot()↵↓   at Repository.UserDirectoryConnectors.LDAP.GenericLDAP.Setup(Logger logger)↵↓   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)↵↓   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)↵↓↵↓Exception rethrown at [0]: ↵↓   at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)↵↓   at System.Func`1.EndInvoke(IAsyncResult result)↵↓   at Repository.Users.SafeUserDirectoryConnector.CallWithTimeout(Func`1 func, TimeSpan timeout)↵↓   at Repository.Users.SafeUserDirectoryConnector.Setup(Logger logger)↵↓   at Repository.Users.Factories.UserDirectoryFactory.TrySetupUserDirectory(UserDirectory userDirectory)ffc751e2-16d6-4fb0-bd5d-dbf01404171c

Confused, would appreciate any assistance or ideas. Thank you!

5,639 Views
0 Likes
6 Replies
Anonymous
Not applicable
‎2016-09-22 12:21 PM

Hello Brett, I'm adding one of our experts ext_kea‌ Kate Healy to this thread so she can assist.

Best, Sara

3,621 Views
0 Likes
joan_marty
Partner - Contributor II
Partner - Contributor II
‎2016-09-23 04:32 AM

In response to Anonymous

Hi, I'm also running this kind of activity at the moment, trying to integrate AZURE AD with Qlik Sense to get SSO and other things linked to this.

I'm still in progress but I can already give you this link which shows how to delcare Qlik Sense Server in Azure

https://azure.microsoft.comen-usdocumentationarticlesactive-directory-saas-qliksense-enterprise-tuto...

Maybe it can help you a bit

3,621 Views
0 Likes
azimuthbrett
Partner - Contributor II
Partner - Contributor II
‎2017-02-08 08:19 AM
Author

In response to joan_marty

Thanks Joan. Looks like the URL you posted has some missing backslashes...I was getting an error page. For anyone else that attempts, this one should work:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-qliksense-enterprise-t...

If it doesn't I found the doc by going to azure.microsoft.com and searching "Qlik Sense".

It's been several months since we attempted setting this up so I can't recall all of the details. I can say that we went through every step in that same tutorial. The problem (as I recall) is that it sets you up to access Sense from the Azure portal - i.e. users are logged into Azure and have a Sense app they can click on to get to the dashboards. Not what we wanted.

What we wanted was to enable SSO. So a user with valid AD credentials managed via a cloud-based AD setup on Azure would provide their company credentials when logging into sense (e.g. on a company domain such as https://dashboards.example.com). We wanted Sense to be able to authenticate the user directly by reference to the remote AD. We were never able to figure it out.

3,621 Views
0 Likes
joan_marty
Partner - Contributor II
Partner - Contributor II
‎2017-02-08 10:08 AM

Tutorial: Azure Active Directory integration with Qlik Sense Enterprise | Microsoft Docs

It shall be better with this one. Slash were removed from the previous link I provided I don't know why

3,621 Views
0 Likes
joan_marty
Partner - Contributor II
Partner - Contributor II
‎2017-02-08 11:58 AM

In response to azimuthbrett

Effectively in such case wanting to propagate SSO, the only option we found internally is to synchronize Azure AD with a local AD in the domain.

We did not found yet any other possibility to do differently.

Joan Marty

Le 8 févr. 2017 à 17:10, Brett Odom <qcwebmaster@qlikview.com<mailto:qcwebmaster@qlikview.com>> a écrit :

3,621 Views
0 Likes
thomaslg_wq
Creator III
Creator III
‎2018-04-26 05:09 AM

Finally :

if anyone wants to create an Azure AD UDC : here attached is the "Generic LDAP UDC configuration".

So, you just have to change the User-Directory-Attribute "User identification" to "Person" and that's it

Resolution Ldap Azure.png

3,621 Views
0 Likes