Re: Migration issue, QSEoW to new machine - Qlik Community

henrikalmen · ‎2024-03-07

I'm migrating Qlik Sense Enterprise on Windows version February 24 (no patch) to a new machine, following the instructions in Migrate Qlik Sense Enterprise Like a Boss. The new installation, with restored repository from the backed up original machine, at first seemed to be running fine, but when trying to use - or create - a data connection from the script editor a problem occurs.

I am browsing locally on the server to the machine name authenticated using a virtual proxy with "Windows" authentication, and the user is RootAdmin and has a Professional license assigned. When I try to open or create a data connection, the data connection window opens but there's a document symbol with a sad figure in it, and a text claiming that "idp.[domain] refused to connect". Data connections of the types "folder" or "web file" are fine, but no other data connection types are working. The error shows up immediately.

That idp-domain exists and is used when authenticating with another virtual proxy with SAML authentication, but not the virtual proxy I'm using.

If I authenticate using SAML/SSO, I can use and create data connections. But on my original server that I migrated from, I can use and create data connections also when I'm authenticated through a VP with the "windows" method. I should be able to do that on the new machine as well.

Something is not right and I don't really know what to do. Could it be some issue with certificates? Or something in the repository database? Everything else seems to be working fine.

henrikalmen · ‎2024-03-07

Also, for the data connectors that I actually can use with saml login, the stored passwords are not working anymore. I have read that it is because of certificates, but I also read somewhere that if I import a certificate that was correctly exported from the previous environment, the new machine should be able to use the stored passwords (i.e. decrypt the passwords stored in the repository) - but which of the certificates, and where should it be placed? I find the certificates somewhat hard to fully understand.

shaun_lombard · ‎2024-03-07

If you know the passwords for the data connections then it may be easier to just re-enter them for each of the connections. First set the password to a semi-colon ; and apply and then set to the actual password and it will be re-encrypted using the current certificate.

henrikalmen · ‎2024-03-07

I should probably have posted the part about data connection passwords as a separate topic. I will do that and let this thread concentrate on my main issue with data connections not functioning as they should.

shaun_lombard · ‎2024-03-07

When I migrated SAML auth environments to a new machine running August 2022, the only issue I had was having to exchange the idp metadata again. I opted not to copy the certificates from the old machine and instead reset the passwords on the data connections.

henrikalmen · ‎2024-03-07

I have deleted all qlik-related certificates and recreated them, by instructions in the article How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub. I still have the same issue as I described.

henrikalmen · ‎2024-03-07

In the web developer console, this error message is registered when I try to use a data connection.

But I don't understand why the idp-domain is requested at all. In the original environment, it is not. These are the requests made according to the networking tab in the web inspector:

So apparently /customdata/64/QvRestConnector/web/standalone/select-dialog.html is requested but it redirects with status "302 Authenticate at this location" to the saml/sso authentication. WHY?? The virtual proxy I'm using shouldn't be aware of a saml authentication method.

henrikalmen · ‎2024-03-07

I'm trying to find something in the log files; in \Log\Proxy\Trace\[servername]_System_proxy.txt this seems to appear when the error is triggered, but on the other hand the SSPI call failure in the log is a known issue so I don't really believe I've found the problem here:

Failed to authenticate stream as Server: An unknown error occurred while processing the certificate↵↓A call to SSPI failed, see inner exception.

Above happened because: An unknown error occurred while processing the certificate

Unanticipated System.Security.Authentication.AuthenticationException occurred accepting client, disposing connection attempt: An unknown error occurred while processing the certificate↵↓A call to SSPI failed, see inner exception.

henrikalmen · ‎2024-03-07

I found logging for QvRestConnector and increased logging level to ALL (also tried DEBUG) but it doesn't really say anything that I find useful. I also see that other connectors that do the same strange call to saml is for example QvWebConnectorPackage and QvOdbcConnectorPackage.

I guess I'm gonna have to file a support case. I'll wait until tomorrow and see if somebody has suggested something in the morgning (it's the middle of the now where I am located).

henrikalmen · ‎2024-03-08

I was wrong to believe that connections worked with the windows authentication VP on the old server before migration. I actually have the same phenomenon there. Not sure though if it is due to the upgrade to Qlik S§ense February 2024 or if we would have experienced this before, if only we have tried it. But I still think it's strange. Why won't data connections work unless I sign in with SSO? Why do the connectors want to authenticate against sso when I am not logged in that way?

Migration issue, QSEoW to new machine

Client Managed