Qlik Community

Qlik Sense Deployment & Management

Discussion board where members learn more about Qlik Sense Installation, Deployment and Management.

Announcements
Coming your way, the Qlik Data Revolution Virtual Summit. October 27-29. REGISTER
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Partner
Partner

Multiple LDAP servers

Hi!

Now, who can help me with this challenge?

Setup

We have one Qlik Sense (Nov 2017) server, but have users in two different AD-servers.

  • AD-1\UserA
  • AD-2\UserB


The Qlik server belongs to the AD-1 domain, but is set up with 2 User Directory Connectors:

  • LDAP://domain1.com, username1, password1
  • LDAP://domain2.com, username2, password2

Currently, none of them have any LDAP filters, so we get all the users in both directories.

Both are running (we have traced the network traffic) and they are both importing users, which we can see in QMC under Users:

  • User Ada     AD-1     userA    Inactive=No    Blocked=No     Removed externally=No
  • User Bob     AD-2     userB    Inactive=No    Blocked=No     Removed externally=No

Logging in

When User Ada goes to https://qlik.company.com/, she gets redirected to https://qlik.company.com:4244/windows_authentication/?targetId=....and gets the popup login box. Ada can log in by using both 'userA' and 'AD-1\UserA'.

When User Bob goes to the same address: https://qlik.company.com/, he too gets redirected to https://qlik.company.com:4244/windows_authentication/?... and gets the password box.


But when entering a user and password, the login box just reappears.



To verify, we have cross-checked where the user is sitting when logging in, with what domain he/she is using:

          Logging from a PC in:

Logging in as:

Domain 1Domain 2
AD-1\UserAWorksWorks
AD-2\UserBDoesn't workDoesn't work

LDAP verification

Using powershell ´System.DirectoryServicees.Protocols.LdapConnection.Bind´ on the Qlik Sense server, I have tested users and passwords.

Both users return success, so I cannot see that there is any network, firewall etc issues.

Qlik Sense and multiple LDAP servers

Can Qlik Sense have more than one LDAP server?

Where do I look? I cannot find any traces of UserB in any logfiles.

2 Replies
Highlighted
Partner
Partner

I have tried changing 'Windows authentication pattern' from 'Windows' to 'webforms'.

Then I get the following in the log files. It sort of reports 'wrong password', but I am using the same passwords that works when testing the password by powershell. So I believe this is a false error message. Sense is checking the wrong LDAP controller?

Anyone know how I can check this?



Audit\QLIK_AuditSecurity_Proxy.txt

ProductVersion11.28.4.0
Timestamp20180928T151051.938+0200
HostnameQLIK
Idbdf90a0d-0515-4cc7-944e-a28b6f609459
DescriptionCommand=Login;Result=403;ResultText=Error: Access Denied
ProxySessionId0
ProxyPackageId0
RequestSequenceId0
UserDirectoryINTERNAL
UserIdsa_proxy
ObjectId0
ObjectNameNot available
SecurityClassSecurity
ClientHostAddressNot available
ServiceProxy
OriginNot available
ContextNot available
CommandLogin:TryLogin
Result403
MessageLogin failed for user 'AD-2\userb' wrong credentials?
Checksum8138b5be236446cab5a21c20515d94980799a9b4


System\QLIK_Service_Proxy.txt

ProductVersion11.28.4.0
Timestamp20180928T151051.939+0200
SeverityWARN
HostnameQLIK
Id4c678dba-f2ed-4ebb-9ea4-147e4f1a8789
DescriptionCommand=Login;Result=403;ResultText=Error: Access Denied. 'TryLogin'
ProxySessionId0
ProxyPackageId0
RequestSequenceId0
UserDirectoryINTERNAL
UserIdsa_proxy
ObjectId0
ObjectNameNot available
ServiceProxy
OriginNot available
ContextNot available
CommandLogin
Result403
MessageLogin failed for user 'AD-2\userb' wrong credentials?
Id24c678dba-f2ed-4ebb-9ea4-147e4f1a8789





Trace\QLIK_Audit_Proxy.txt

Timestamp20180928T151051.940+0200
LevelWARN
HostnameQLIK
LoggerAudit.Proxy.Proxy.DefaultModules.Authentication.FormAuthenticationRequestHandler
Thread63
Id908011f7-5216-4c46-a06c-05266309692d
ServiceUserAD-1\svc_qlik
MessageLogin: failed.
ProxySessionId0
ConnectionIdConnectionId
ActiveUserDirectoryAD-2
ActiveUserIduserb
TicketId-
IpAddress-
AppId-
TargetHost-
VirtualProxy-
Checksumea7520116fc6b03d4e49cf73eeb46ae00f92deb4


Highlighted
Contributor III
Contributor III

Hi, we have a similar set up. We are encountering an issue creating a data connection from the service account (Domanin A) to a directory that is on Domain B. have you encountered this problem and overcome it?
Thanks