Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Dirk_Janknecht
Partner - Contributor
Partner - Contributor

Section Access / Strict Exclusion Issues, ConnectToLoaded: TryDinamicRD. AS(5). Strict(1). Access(2). errId(-3)

Hi,

we try set up QlikView Server 12.50.20300 with Web Ticket Integration and Section Access in "Strict Exclusion" mode.

The issue is, that we always get the Section Access authentication dialog in combination with errors in the Windows event log and QlikView Audit log as long as "Strict Exclusion" is enabled. We need this option to prevent unauthorized data access.

Dirk_Janknecht_0-1611767240408.png

 

Errors:

500     Warning        Server - ConnectToLoaded: TryDinamicRD. AS(5). Strict(1). Access(2). errId(3). 4b61113b-f27a-4646-9037-1b3c82d03a8c

500     Warning        Document Load: The document D:/Insight/Distribute/SDEVKO91/RAPID03_VT/TestSectionAccess.qvw failed to load because of no access [5].            4b61113b-f27a-4646-9037-1b3c82d03a8c

A test document was set up like documented in https://community.qlik.com/t5/Support-Knowledge-Base/Section-Access-Best-Practice-Guidance/ta-p/1712...

The document is attached, but here is the script:

drop Tables;

LogInInfo:

LOAD * INLINE [
ACCESS,USERID, PASSWORD, NTNAME, REDUCTIONFIELD
ADMIN,ADMIN, ADMIN, *, P1
ADMIN,ADMIN, ADMIN, *, P2
'USER',*,*, DJA,P1
'USER',*,*, UPPERCASE,P1
'USER',*,*, UPPERCASE,P2
'USER',*,*, AND,P2
];

Section Access;

SectionAccessData:
Load * resident LogInInfo;

SectionAccessData:
LOAD * INLINE [
ACCESS, USERID, PASSWORD, NTNAME, REDUCTIONFIELD
ADMIN, RELOAD, RELOAD, *,''];

Section Application;

drop table LogInInfo;

Data:
LOAD * INLINE [
Id,REDUCTIONFIELD, Text
1,'P1','REDUCTION P1'
2,'P2', 'REDUCTION P2'
3,'P1','REDUCTION P1'
4,'P2','REDUCTION P2'
5,'P3','REDUCTION P3'
];

SectionAccessInfo:
load * resident SectionAccessData;

The document is reloaded with Checkbox "Section Access" enabled, a special "RELOAD" user does the reloads like mentioned in the "Best Practices Guidance"

Dirk_Janknecht_1-1611767240412.png

The document can be opened on the server (in QlikView Desktop) with User admin / pwd admin without any issues.

Dirk_Janknecht_2-1611767240422.png

Opening the document via Web Ticket leads to the errors described above.

URL to open is, for example:

http://127.0.0.1/QvAJAXZfc/Authenticate.aspx?type=html&webticket=ayonQqohdqxANbhCuAj2JEQb6MshDmrT4Kd...

When disabling "Strict Exclusion", the document can be opened.

A textbox set to the formula "=OSuser( )" then shows the username which was used to get the web ticket - for example username "DJA".

Dirk_Janknecht_3-1611767240426.png

So it seems like the authentication (means NTNAME is set by the web ticket API) is working fine.

What makes me wonder, and maybe is one of the reasons for the problems: Why is no data shown, although the user DJA should be able to see all "P1" data? Seems like the data is "pre" reduced, but no reduction is configured at server level.

Any idea what going wrong? Any idea how to find additional logs?

Thanks and regards,

Dirk

 

2 Solutions

Accepted Solutions
marcus_sommer

I never used Web Ticket authentication and therefore I couldn't much say where are the differences to the classical NT authentication or the in the qmc defined custom user authentication. Nevertheless I noticed the following.

You are apply section access user + password within the qmc. Just try it without any settings here - for me it worked fine without them. I don't know for what reason they are there - maybe loop and reduce with the publisher otherwise I'm out of ideas for it.

The other it you defines user + password and NTNAME within the section access. This means here are two different authentications included and both must be fulfilled because all defined methods are in an AND mode and not in an OR condition. If your Web Ticket authentication is really unique for an user you don't need user + password within the section access. Therefore just remove it and try it again.

- Marcus

View solution in original post

Dirk_Janknecht
Partner - Contributor
Partner - Contributor
Author

Hi Marcus, 

thanks for you reply. It's finally working now!

  1. It really seems like user + password and NTNAME cannot be mixed. I removed user+password, that helps. Web ticket authentication "impersonates" the user, so that NTNAME is filled with the user which created the web ticket.  
  2. As I need a username that is included in the section access table for later reloads, I defined a special "ReloadUser" in a config file which can be changed to the Windows service account that performs the reloads.
  3. The section access user + password in QMC is needed inthe case that the Windows service account that performs the reloads does not have sufficent rights within section access. When not providing any user here, QMC (or let's better say the distribution service) uses the Windows account. Therefore I introduced the "ReloadUser".

Thanks &  regards,

Dirk

View solution in original post

2 Replies
marcus_sommer

I never used Web Ticket authentication and therefore I couldn't much say where are the differences to the classical NT authentication or the in the qmc defined custom user authentication. Nevertheless I noticed the following.

You are apply section access user + password within the qmc. Just try it without any settings here - for me it worked fine without them. I don't know for what reason they are there - maybe loop and reduce with the publisher otherwise I'm out of ideas for it.

The other it you defines user + password and NTNAME within the section access. This means here are two different authentications included and both must be fulfilled because all defined methods are in an AND mode and not in an OR condition. If your Web Ticket authentication is really unique for an user you don't need user + password within the section access. Therefore just remove it and try it again.

- Marcus

Dirk_Janknecht
Partner - Contributor
Partner - Contributor
Author

Hi Marcus, 

thanks for you reply. It's finally working now!

  1. It really seems like user + password and NTNAME cannot be mixed. I removed user+password, that helps. Web ticket authentication "impersonates" the user, so that NTNAME is filled with the user which created the web ticket.  
  2. As I need a username that is included in the section access table for later reloads, I defined a special "ReloadUser" in a config file which can be changed to the Windows service account that performs the reloads.
  3. The section access user + password in QMC is needed inthe case that the Windows service account that performs the reloads does not have sufficent rights within section access. When not providing any user here, QMC (or let's better say the distribution service) uses the Windows account. Therefore I introduced the "ReloadUser".

Thanks &  regards,

Dirk