Solved: Can't authenticate user using DMS: "Failed to open... - Qlik Community

Permalink · ‎2011-11-28

We have an SSO solution to qlikview 11 but are having problems setting it up correctly. We are using IIS.

I get

"Failed to open document. You don't have access to this document"

when trying to access a document through the browser.

I'm using DMS with named users. It works if I set Authorization to 'All Users' or 'All authenticated users' on the user document so I believe the problem has to do with the named users.

We're using a module registered with the QlikView server IIS to set the header

QVUSER: CUSTOM\siteuser14

before redirecting from Authenticate.aspx to (example):

/qvajaxzfc/opendoc.htm?document=/path/customerId/documentName.qvw

When I look at the sessions log for the qlikview server I have lines that look like this:

Exe Type Exe Version Server Started Timestamp Document Document Timestamp QlikView User Exit Reason Session Start Session Duration CPU spent (s) Bytes Received Bytes Sent Calls Selections Authenticated user Identifying user Client machine identification Serial number Client Type Client Build Version Secure Protocol Tunnel Protocol Server Port Client Address Client Port Cal Type Cal Usage Count

RLS64 11.00.11149.0409.10 2011-11-28 04:13:16 2011-11-28 10:07:26 c:\qlikviewreports\14\report_courseelement-activity.qvw 2011-11-28 09:43:52 Socket closed by client 2011-11-28 09:28:17 00:39:09 0.000 9352 1219099 32 1 CUSTOM\ CUSTOM\ b7cb8733-85c9-456a-8ac1-1b3c07faa392 Ajax QvIIS 11.0.11149.0 IR browser.gecko 8 On 4747 127.0.0.1 51491 Named User

Notice that the authenticated user and identifying user seems to be "CUSTOM\" i.e. that the actual user name seems to be missing. ( If I understand it correctly it should be CUSTOM\siteuser14 in my case)

Here is an exerpt from the qlik view Events log after a restart of the service and trying to load a document:

2011-11-28 14:25:35 2011-11-28 14:25:36 4 700 Information Mount: Found Mount at location C:\ProgramData\QlikTech\Documents browsable

2011-11-28 14:25:35 2011-11-28 14:25:36 4 700 Information Mount: Found Mount CustRep at location C:\QlikViewReports browsable

2011-11-28 14:25:35 2011-11-28 14:25:59 4 700 Information Ticket created: Ticket for CUSTOM\.

2011-11-28 14:25:35 2011-11-28 14:25:59 4 700 Information Mount: Found Mount at location C:\ProgramData\QlikTech\Documents browsable

2011-11-28 14:25:35 2011-11-28 14:25:59 4 700 Information Mount: Found Mount CustRep at location C:\QlikViewReports browsable

2011-11-28 14:25:35 2011-11-28 14:25:59 4 700 Information Ticket Lookup: Ticket E7C1D700882F41EEDFB6271F26A091496131A734 was found.

2011-11-28 14:25:35 2011-11-28 14:25:59 4 700 Information Document Open: Open document: User has no access to document custrep/14/report_courseelement-activity.qvw

2011-11-28 14:25:35 2011-11-28 14:25:59 2 500 Warning Document Load: The document C:\QLIKVIEWREPORTS\14\report_courseelement-activity.qvw failed to load because of no file access [19].

2011-11-28 14:25:35 2011-11-28 14:36:46 4 700 Information Ticket created: Ticket for CUSTOM\.

2011-11-28 14:25:35 2011-11-28 14:36:47 4 700 Information Ticket Lookup: Ticket CE09803F2EC1481D9CB92081288F47966669BFFC was found.

2011-11-28 14:25:35 2011-11-28 14:36:47 4 700 Information Document Open: Open document: User has no access to document custrep/14/report_courseelement-activity.qvw

2011-11-28 14:25:35 2011-11-28 14:36:47 2 500 Warning Document Load: The document C:\QLIKVIEWREPORTS\14\report_courseelement-activity.qvw failed to load because of no file access [19].

I'm rather new to qlikview so it might be something simple that I've missed.

Permalink · ‎2011-12-05

It seems something was changed in the way QlikView authenticates. Our IIS module sets the QVUSER header for Authenticate.aspx only, which works fine in QV10, but in QV11 we also need to set it for /QvAjaxZfc/QvsViewClient.aspx . This solved our problem.

I hope this can help someone else.

View solution in original post

Permalink · ‎2011-12-05

It seems something was changed in the way QlikView authenticates. Our IIS module sets the QVUSER header for Authenticate.aspx only, which works fine in QV10, but in QV11 we also need to set it for /QvAjaxZfc/QvsViewClient.aspx . This solved our problem.

I hope this can help someone else.

jykang0638 · ‎2012-02-12

Hi kschmidt,

I am currently facing same issue with QV11.

However I can't understand your above tip.

What is it mean - set QVUSER header for /QvAjazZfc/QvsViewClient.aspx?

In QV10, I followed the document "QlikView 10 Accesspoint SSO.pdf" and it work fine.

And at that time I didn't set anything for Authenticate.aspx. The things I need are just isapi filter registering in IIS and authentication setup in QEMC.
Please, let me know your detailed implementation.

Thanks in advance.

Kind regards,
Steve.

Permalink · ‎2012-02-13

Hi Steve.

What does your ISAPI filter do?

Regards

Kristian Schmidt

jykang0638 · ‎2012-02-15

Hi Kristian,

My filter just check QvCookie and write QVUSER header.
How about yours?
Thanks for your concern.

Kind Regards,
Steve Kang.

Permalink · ‎2012-02-16

We have an HTTP module which intercepts calls to Authenticate.aspx and QvsViewClient.aspx and checks if the user has a session and that a qlikview header exists otherwise it will be set.

If the user does not have a session it tries to authenticate the user based on signed request parameters. It then redirects the user to the requested document.

The QVUSER header is used by QlikView to check access to documents.

jykang0638 · ‎2012-02-16

Thanks for your kind explanation.
I got an idea from your information.

Permalink · ‎2013-01-08

Hi kschmidt,

I have configure qlikview IIS server (Qlikview 11 SR2 built 11440) and looking forward to confgute SSO on it.

But I dont find QVAuth.dll file to add in ISAPI FILTER. and please can you explain what do you mean by HTTP module.

Permalink · ‎2013-01-08

We've created our own HTTP module for IIS which does what I explained above.

To use SSO I believe you need to develop something similar first.

Permalink · ‎2013-01-09

Hi Kschmidt,

I am trying to configure DMS on well Set up QlikView IIS Server.

I step I tryed are as follows:

1. I invoke Qlikview Management Console

2. System > Setup > QlikView Server > Security

Authentication :

prohibit anonymous

Anonymous Account

On Local Computer

Authorization

DMS authorization(QlikView Control file Access)

Miscellaneous

Allow macro execution on server

Compress Network Traffic

Allow Extension

3. System > Setup > QlikView Server > Qlikview Web Server

Authentication

Always

Type

Custom User

parameters :

prefix : CUSTOM\

Login Address

Default login page(browser authentication)

4. System > Setup > QlikView Server > Directory Service Connectors > DSC@qvs > Custom Directory

General

Path : Custom UserName : Admin Password : qvadmin port : 4735

Users

Custom User

click on + sign and add 3 users with same password : qvadmin

Custom User Group

Group Name : developer

And named users 2 from the above created users.

Even ReStart the Qlikview Services 5 among 6 .

We have 6 servers because I am using Qlikview IIS server.

Only Qlikview Web Server is down.

5. try to invoke Access Point , its pop up login dialog box.

try to login by

User Name : CUSTOM\irf

Password : qvadmin

the dialog box disapear for few seconds and appears again with username and password in there associated text box

I am expecting assistance to sort the above scenario.

Thanks

Irfan Ghori

Can't authenticate user using DMS: "Failed to open document"