Solved: Problem with kerberos authentication - Qlik Community

peterwh · ‎2024-03-13

Hello,

I've tried to activate kerberos in our QlikView-Environment. I used this documentation: https://community.qlik.com/t5/Official-Support-Articles/Kerberos-support-using-QlikView-Webserver/ta...

I changed the config.xml and "setspn" was executed. But if I try to open the AccessPoint I get "Login failed". I've used Edge und Firefox and both show the same error message.

Does anyone have an idea what could be wrong? Which log-files could be relevant (unfortunately I didn't find one that shows me more details)?

I know I ask where unspecific, but I didn't find a startingpoint yet for further investigation.

Our server are Windows 2016 and we're using QlikView May 2023SR1.

Kind regards

Peter

Chip_Matejowsky

Hi @peterwh,

I believe a domain trust with the fourth domain would be a requirement. Have a look at the following articles:

Is it possible to set up multiple Active Directory domains within one QlikView Server?
Users from AD DomainB can't connect to QlikView server that resides in AD DomainA

Best Regards

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!

View solution in original post

Chip_Matejowsky · ‎2024-03-14

Hi @peterwh,

See if you can reproduce issue while recording a .HAR file as described in article Save network web traffic (HAR/XML file) and console logs from the browser's developer tools. It may help in determining what the issue is.

Best Regards

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!

peterwh · ‎2024-03-21

Hello,

thanks for your answer. Due to my current workload I couldn't test it. If I have new insights I will post them.

Kind regards

Peter

peterwh

Hello,

sorry for the late response, but now I've had the chance to investigate my problem further. This is what I've found:

We have three (legacy) domains which trust each other. There is a forth domain which doesn't have a full trust. Which trust exactly, I don't know.

The four domains are configured in DSC via "Active Directory" and "LDAP://<domain>".

If I use NTLM users from every domain can logon to the AccessPoint and use QlikView-dashboards.

If I switch to "Negotiate" only user from the three "legacy"-domains can logon successfully. The users of the forth domain get "Login failed".

Does anyone have a glue, what could be the problem and how to solve it?

Kind regards

Peter

Chip_Matejowsky

Hi @peterwh,

I believe a domain trust with the fourth domain would be a requirement. Have a look at the following articles:

Is it possible to set up multiple Active Directory domains within one QlikView Server?
Users from AD DomainB can't connect to QlikView server that resides in AD DomainA

Best Regards

Principal Technical Support Engineer with Qlik Support
Help users find answers! Don't forget to mark a solution that worked for you!

peterwh

Hello @Chip_Matejowsky,

I will ask the IT department which trust relationship exists between the "legacy" domains and the new domains.

But why is everything working as expected if I use NTLM and not if I use "Negotiate"? That's the point I don't understand. All four domains are configured within the DSC config (see attached screenshot). The ones without a password are the "legacy" domains, the last one is the new domain.

I forgot to mention we use QlikView May 2024SR1.

Kind regards

Peter

peterwh

Hello @Chip_Matejowsky,

I talked to our IT department and they said there is a "selective" trust between the domains. So not all users or service can communicate.

They modified a configuration so that our service user has the right to use kerberos and now I can access the QVWebserver from all four domains.

Thank you for your time investment.

Kind regards

Peter

Problem with kerberos authentication

Management

QlikView Administration