Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
We're trying to authenticate users through the ticket API and we're getting a 403 Forbidden error. I'm really not sure where exactly might be the issue, if it's caused by Qlik not finding the user or something else.
Where can I find more information on how to fix this issue?
Here's the POST we're sending (redacted the private information).
POST https://***:4243/qps/tst/ticket?Xrfkey=0123456789abcdef
HEADERS:
X-Qlik-Xrfkey: 0123456789abcdef
Content-Type: application/json
BODY:
{
"UserDirectory": "MyDirectory",
"UserId": "myUser",
"CertificateLocation": 2,
"CertificateName": "***",
"TargetId": "6ee5fc59-8a92-481a-8108-0a4748a281a8",
"Attributes": []
}
Here's the response we're getting.
The remote server returned an error: (403) Forbidden.
OK, So I figured-out what was going on after 2 days of research. I'll give here how I managed to figure out the issue and fix it.
So, first thing the error was returned by the call to the HttpWebRequest's GetRequestStream() method. It was therefore not really linked to an issue with Qlik but to a ASP.net issue.
I've activated the logging for System.Net by adding this configuration to the web.config of my web app.
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="System.Net">
<listeners>
<add name="System.Net" />
</listeners>
</source>
<source name="System.Net.Sockets">
<listeners>
<add name="System.Net" />
</listeners>
</source>
<source name="System.Net.Cache">
<listeners>
<add name="System.Net" />
</listeners>
</source>
</sources>
<sharedListeners>
<add
name="System.Net"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="System.Net.trace.log"
/>
</sharedListeners>
<switches>
<add name="System.Net" value="Verbose" />
<add name="System.Net.Sockets" value="Verbose" />
<add name="System.Net.Cache" value="Verbose" />
</switches>
</system.diagnostics>
This allowed me to get the real underlying issue which was : AcquireCredentialsHandle() failed with error 0X8009030D
After a little bit of Googling, I figured out that the issue was linked to the application pool in which my web app was running didn't have access to the private key of the QlikClient certificate. This is quite easy to fix.
First, you need to get to the certificate store
Then, right-click the QlikClient certificate in the certificate store and choose "All tasks -> Manage private keys.
You should have a "Windows" permission showing, you need to add the user that is running your application pool. So if your application pool is called "TestAppPool", you should add the user "IIS AppPool\TestAppPool". You can give this user only "Read" permissions and it should work.
CertificateLocation and CertificateName in the body is not needed.
Are you signing your request with the exported certificates from Qlik Sense?
The 403 indicates that your request is not allowed, the user does not have to exist in Sense. Since you sign the request with the export certificates from Qlik Sense we will trust you and create whatever user you send in.
Hi Alexander,
Thanks for your help. I indeed was confused by what certificate to use to create the connection. I managed to go past the first error, but now get another error:
The request was aborted: Could not create SSL/TLS secure channel.
It's probably still linked to that certificate issue. Here's what I did to create and configure the certificate:
I'm then using this open source project GitHub - braathen/qlik-auth-net: ASP.NET module for simplifying custom authentication with Qlik Sens... to test. It seem to correctly sign the request using the client certificate, so I'm not really sure why I get the error message.
Could it be a configuration issue on Qlik's side?
Thanks
Sorry, I didn't answer to you directly, could you check my message other message in the thread?
OK, So I figured-out what was going on after 2 days of research. I'll give here how I managed to figure out the issue and fix it.
So, first thing the error was returned by the call to the HttpWebRequest's GetRequestStream() method. It was therefore not really linked to an issue with Qlik but to a ASP.net issue.
I've activated the logging for System.Net by adding this configuration to the web.config of my web app.
<system.diagnostics>
<trace autoflush="true" />
<sources>
<source name="System.Net">
<listeners>
<add name="System.Net" />
</listeners>
</source>
<source name="System.Net.Sockets">
<listeners>
<add name="System.Net" />
</listeners>
</source>
<source name="System.Net.Cache">
<listeners>
<add name="System.Net" />
</listeners>
</source>
</sources>
<sharedListeners>
<add
name="System.Net"
type="System.Diagnostics.TextWriterTraceListener"
initializeData="System.Net.trace.log"
/>
</sharedListeners>
<switches>
<add name="System.Net" value="Verbose" />
<add name="System.Net.Sockets" value="Verbose" />
<add name="System.Net.Cache" value="Verbose" />
</switches>
</system.diagnostics>
This allowed me to get the real underlying issue which was : AcquireCredentialsHandle() failed with error 0X8009030D
After a little bit of Googling, I figured out that the issue was linked to the application pool in which my web app was running didn't have access to the private key of the QlikClient certificate. This is quite easy to fix.
First, you need to get to the certificate store
Then, right-click the QlikClient certificate in the certificate store and choose "All tasks -> Manage private keys.
You should have a "Windows" permission showing, you need to add the user that is running your application pool. So if your application pool is called "TestAppPool", you should add the user "IIS AppPool\TestAppPool". You can give this user only "Read" permissions and it should work.