Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Aug 28, 2024 7:40:09 AM
Oct 5, 2012 5:02:46 AM
Authentication between web clients and QlikView Webserver will by default be performed using NTLM.
To allow Kerberos authentication between clients and the web server, the authentication scheme for QlikView Webserver must be changed. In addition, required Service Principal Names (SPNs) must be registered on the service account running QlikView Webserver.
Kerberos is not supported for the QlikView Management Console
<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="NTLM" />After:
<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="Negotiate" />
The following will require appropriate permissions in Active Directory to add Service Principal Names on the account running QlikView Webserver.
A Service Principal Name may be registered using the following command:
setspn -A http/HOST serviceaccount
Where:
Note: If running Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 it is recommended to instead use the following syntax:
setspn -U -S http/HOST serviceaccount
For more information see: http://technet.microsoft.com/en-us/library/cc731241.aspx
Two Service Principal Names must be registered on the service account, one using the NETBIOS name of the computer hosting QlikView Webserver and one using the Fully Qualified Name of the server.
In this example the NETBIOS name of the server hosting QlikView Webserver is "qvs1", the Fully Qualified Name is "qvs1.companyx.local" and the account used by QlikView Webserver is "COMPANYX\qvssvc".
setspn -A "http/qvs1" "COMPANYX\qvssvc"
setspn -A "http/qvs1.companyx.local" "COMPANYX\qvssvc"
Windows Server 2008 / R2 and Windows Server 2012
setspn -U -S "http/qvs1 COMPANYX\qvssvc"
setspn -U -S "http/qvs1.companyx.local" "COMPANYX\qvssvc"
Restart the QlikView Webserver after successfully registering the Service Principal Names
For more information about Service Principal Names see: http://technet.microsoft.com/en-us/library/cc961723.aspx
Thank you for this technote. With you suggestions we were able to update our Qlikview environment to use Kerberos.
But as soon as we update something through the maintenance page, the config.xml gets overwritten . And since there is no Negotiate/Kerberos option available in the maintenance page, the manually changed Negotiate option in the config.xml is lost.
Do you have any suggestions on how to by-pass this behavior?