Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
Is there anny experience with disabling NTLM in combination with QlikView? How can we implement this correctly?
Were starting to get questions about disabling NTLM traffic due to security reasons.
There they follow the following best practices:
Here they want to put everything on "Deny All".
After doing this, the QMC seems to have trouble connecting to the QlikView Webserver (which is on a other server). It stays on disconnected in the QMC. But users are still able to login to the Access Point on this server and open QlikView documents, we also confirm this in the log.
After putting the QMC logging on Debug, we see this error:
20231102T112904.530+0100 Error System.ServiceModel.CommunicationException: ANY did not respond to request.
Last exception (for http://qlik-mfa1.ad.sgoon.nl:4750/QVWS/Service😞 The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'. ---> System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The function requested is not supported || at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) || at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) || at System.Net.NtlmClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) || at System.Net.NtlmClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) || at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials) || at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) || at System.Net.HttpWebRequest.CheckResubmitForAuth() || at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload) || --- End of inner exception stack trace --- || at System.Net.HttpWebRequest.GetResponse() || at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) || --- End of inner exception stack trace --- || || Server stack trace: || at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory) || at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding) || at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) || at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) || at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) || at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) || || Exception rethrown at [0]: || at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) || at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) || at PIX.Services.V12.Api5.IQTService5.GetKey() || at PIX.Services.ClientSupport.ClusterBase`1.Invoke[TR](CallType callType, Func`2 func, List`1 allResults, QlikMethodBehavior methodBehavior) || --- End of inner exception stack trace --- || || Server stack trace: || at PIX.Services.ClientSupport.ClusterBase`1.Invoke[TR](CallType callType, Func`2 func, List`1 allResults, QlikMethodBehavior methodBehavior) || at PIX.Services.ClientSupport.QTClientImpl.GetKey() || at PIX.Services.ClientSupport.ServiceKeyClientMessageInspector.BeforeSendRequest(Message& request, IClientChannel channel) || at System.ServiceModel.Dispatcher.ImmutableClientRuntime.BeforeSendRequest(ProxyRpc& rpc) || at System.ServiceModel.Channels.ServiceChannel.PrepareCall(ProxyOperationRuntime operation, Boolean oneway, ProxyRpc& rpc) || at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) || at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) || || Exception rethrown at [0]: || at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) || at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) || at PIX.Services.IQVWS.GetConfig() || at QMSBackendCore.Communication.WebServer.GetConfig(QvWebServiceResource qvwsResource)
20231102T112906.290+0100 Error System.ServiceModel.CommunicationException: ANY did not respond to request.
Last exception (for http://qlik-mfa1.ad.sgoon.nl:4750/QVWS/Service😞 The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'. ---> System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The function requested is not supported || at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) || at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) || at System.Net.NtlmClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) || at System.Net.NtlmClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) || at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials) || at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) || at System.Net.HttpWebRequest.CheckResubmitForAuth() || at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload) || --- End of inner exception stack trace --- || at System.Net.HttpWebRequest.GetResponse() || at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) || --- End of inner exception stack trace --- || || Server stack trace: || at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory) || at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding) || at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) || at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) || at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) || at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) || || Exception rethrown at [0]: || at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) || at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) || at PIX.Services.V12.Api5.IQTService5.GetKey() || at PIX.Services.ClientSupport.ClusterBase`1.Invoke[TR](CallType callType, Func`2 func, List`1 allResults, QlikMethodBehavior methodBehavior) || --- End of inner exception stack trace --- || || Server stack trace: || at PIX.Services.ClientSupport.ClusterBase`1.Invoke[TR](CallType callType, Func`2 func, List`1 allResults, QlikMethodBehavior methodBehavior) || at PIX.Services.ClientSupport.QTClientImpl.GetKey() || at PIX.Services.ClientSupport.ServiceKeyClientMessageInspector.BeforeSendRequest(Message& request, IClientChannel channel) || at System.ServiceModel.Dispatcher.ImmutableClientRuntime.BeforeSendRequest(ProxyRpc& rpc) || at System.ServiceModel.Channels.ServiceChannel.PrepareCall(ProxyOperationRuntime operation, Boolean oneway, ProxyRpc& rpc) || at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) || at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) || || Exception rethrown at [0]: || at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) || at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) || at PIX.Services.IQVWS.GetConfig() || at QMSBackendCore.Communication.WebServer.GetConfig(QvWebServiceResource qvwsResource)
20231102T112911.099+0100 Error System.ServiceModel.CommunicationException: ANY did not respond to request.
Last exception (for http://qlik-mfa1.ad.sgoon.nl:4750/QVWS/Service😞 The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'. ---> System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'NTLM'. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The function requested is not supported || at System.Net.NTAuthentication.GetOutgoingBlob(Byte[] incomingBlob, Boolean throwOnError, SecurityStatus& statusCode) || at System.Net.NTAuthentication.GetOutgoingBlob(String incomingBlob) || at System.Net.NtlmClient.DoAuthenticate(String challenge, WebRequest webRequest, ICredentials credentials, Boolean preAuthenticate) || at System.Net.NtlmClient.Authenticate(String challenge, WebRequest webRequest, ICredentials credentials) || at System.Net.AuthenticationManagerDefault.Authenticate(String challenge, WebRequest request, ICredentials credentials) || at System.Net.AuthenticationState.AttemptAuthenticate(HttpWebRequest httpWebRequest, ICredentials authInfo) || at System.Net.HttpWebRequest.CheckResubmitForAuth() || at System.Net.HttpWebRequest.CheckResubmit(Exception& e, Boolean& disableUpload) || --- End of inner exception stack trace --- || at System.Net.HttpWebRequest.GetResponse() || at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) || --- End of inner exception stack trace --- || || Server stack trace: || at System.ServiceModel.Channels.HttpChannelUtilities.ValidateAuthentication(HttpWebRequest request, HttpWebResponse response, WebException responseException, HttpChannelFactory`1 factory) || at System.ServiceModel.Channels.HttpChannelUtilities.ValidateRequestReplyResponse(HttpWebRequest request, HttpWebResponse response, HttpChannelFactory`1 factory, WebException responseException, ChannelBinding channelBinding) || at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout) || at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout) || at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) || at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) || || Exception rethrown at [0]: || at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) || at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) || at PIX.Services.V12.Api5.IQTService5.GetKey() || at PIX.Services.ClientSupport.ClusterBase`1.Invoke[TR](CallType callType, Func`2 func, List`1 allResults, QlikMethodBehavior methodBehavior) || --- End of inner exception stack trace --- || || Server stack trace: || at PIX.Services.ClientSupport.ClusterBase`1.Invoke[TR](CallType callType, Func`2 func, List`1 allResults, QlikMethodBehavior methodBehavior) || at PIX.Services.ClientSupport.QTClientImpl.GetKey() || at PIX.Services.ClientSupport.ServiceKeyClientMessageInspector.BeforeSendRequest(Message& request, IClientChannel channel) || at System.ServiceModel.Dispatcher.ImmutableClientRuntime.BeforeSendRequest(ProxyRpc& rpc) || at System.ServiceModel.Channels.ServiceChannel.PrepareCall(ProxyOperationRuntime operation, Boolean oneway, ProxyRpc& rpc) || at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout) || at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation) || at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) || || Exception rethrown at [0]: || at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg) || at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type) || at PIX.Services.IQVWS.GetConfig() || at QMSBackendCore.Communication.WebServer.GetConfig(QvWebServiceResource qvwsResource)
NTLM Authentication is required for inter service communication. If it is not possible to use that, you will need to switch to certificate-based authentication instead. See https://help.qlik.com/en-US/qlikview/May2023/Subsystems/Server/Content/QV_Server/QlikView-Server/QVS... and https://help.qlik.com/en-US/qlikview/May2023/Subsystems/Server/Content/QV_Server/QlikView-Server/QVS...
NTLM Authentication is required for inter service communication. If it is not possible to use that, you will need to switch to certificate-based authentication instead. See https://help.qlik.com/en-US/qlikview/May2023/Subsystems/Server/Content/QV_Server/QlikView-Server/QVS... and https://help.qlik.com/en-US/qlikview/May2023/Subsystems/Server/Content/QV_Server/QlikView-Server/QVS...