Hey @girard_ben, 4242 is used to access the QRS API endpoints from behind the proxy in the trusted zone and this call requires client and server cert authentication.
Instead, when you are not specifing the port, this means that you are accessing QRS APIs using virtual proxy. Pointing to https://dlvxsense.delvaux.com/qrs/about means that you are using default virtual proxy (you can see default VP configuration in QMC). When you use a VP you must authenticate against the VP it self, based on the auth method set in VP.
Error during stream authentication as Server Authentication failed because the remote party has closed the transport stream. at System.Net.Security.SslState.InternalEndProcessAuthentication(LazyAsyncResult lazyResult)↵↓ at System.Net.Security.SslState.EndProcessAuthentication(IAsyncResult result)↵↓ at Qlik.Sense.Communication.Communication.Tcp.StreamFactory.<>c__DisplayClass10_1.<Negotiate>b__2(IAsyncResult result)
Getting that authentication flow working with all the headers and cookies and whatnot is kind of tricky. But that error message seems to indicate that you are using .NET, and if that is the case, then this library might be of interest to you:
Hello, I believe your client is not supporting the Negotiate HTTP authentication scheme and/or the NTLM HTTP authentication scheme (https://www.rfc-editor.org/rfc/rfc4559.html)
I would try to share a tcpdump (or equivalent) of the client for the all HTTP session - I think this might help having a more detailed overview and figure out who is misbehaving.
big thanks for all your support, really appreciate. I explain a little bit more the context
we are using an external tool to run qlik sense reload "qliksensetask", and for some reason we received now a "not authorized" error ... I want to know what is blocking/ changed
error: The remote server returned an error: (401) Unauthorized."
check that the Proxy and QRS are running. Message: Unauthorized:
at QVnextDemoBuilder.QRSNTLMWebClient..ctor(String QRSserverURL, Int32 requesttimeout, Logger logger)
at QlikSenseJSONObjects.QlikSenseJSONHelper..ctor(String url, Int32 timeout, Logger logger)
at QlikSenseTask.Program.Main(String[] args)"
2024_09_26_12_09_28,Information,"Returning Errorlevel 8"
> the external tool uses NTLM auth. so I try to debug the root cause by doing myself a standard call with Insomnia for security issue, we can't use Postman.. ) so maybe this client did not manage well this protocol (as suspected by @Anonymous )
The only changed we did it's to add a new certificate on the Qlik Sense server , and added its thumbprint on the QS proxy.
The data you provided is still not enough, we really need the whole HTTP session; anyway, this weekend I will try to take a look into the code you shared even if I'm definitely not a .NET developer.
Hello @girard_ben , looks like the tool supports both NTLM and KERBEROS, as it relays over WebClient.
In your first 401 error the WWW-Authenticate is set to Negotiate, which indicate that a KERBEROS auth challenge is requested by the server.
In the second message (spoiler) , you posted a transport stream error, which can be connected to a certificate authentication error.
You can use both authentication methods, but each one is located in a different layer: certificate authentication is a presentarion layer mechanism and KERBEROS or NTLM are implemented in the HTTP layer.
Whats your error here? I believe we really need a more detailed trace of the whole HTTP session.
> I'm not an expert about HTTP request , if you have a tools to monitor HTTP requests from the server QLikView let me know.
> on our hand, we change a little bit the way to proceed , we remove the qliksensetask from our scripts > now we use a python script and we do the auth. with the certificate by calling the endpoint on the port 4242
