Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
We have recently set up a second domain and we are trying to set up our Qlikview configuration to grant users in this domain access to our reports. In the management console I have edited the DSC to include the second Active Directory path, and that has allowed us to assign licenses to these users.
However despite this users from that domain cannot see any reports when the browse to the Access Point page. It loads up fine but there are no visible reports. I've been trying to look around for a solution to this but not had any luck so far, can anyone help point me in the right direction?
Thanks
We are using Publisher yeah. I'll make the change and see if it works
I've just had a look into the events log file on the server and found the following error appear when we tried to access it using the other domain user:
Error | SE_LOG: User - GetStringS: Failed to LookupAccountName2 without using DCName. GLE(1788) |
I tried to look this up on the web but couldn't find anything about it.
Are the users actually authenticated on the access point?
Do you see '"Welcome, theirname" at the right top corner?
Also, if you check the permissions on the user document, can you see that the users should have access to it?
Consider that QlikView doesn't do AD authentication. Windows does.
So, when adding an additional domain you need to make sure that the Windows server is able to recognized the users from the other domain (domain trust).
More details here.
What you likely need to do here if you have an SSO frontend that can handle the authentication piece properly, is on our side, put the QVS service into DMS security mode instead of NTFS, and I believe you should likely be able to configure a DSC DSP to get to the other directory, you may have to specify a specific account to read from it depending upon trust relationship etc., but if you can then read, that will allow you to choose users/groups from both domains at that point, and all QVS will be checking for is whether we have a match to a name or group when it gets it from the web server. Most of the time the web server is using Header Auth setup in these cases. Hopefully this may help a little, but to Daniele's point, if the web server is set to use NTLM, then you would have to have trusts in place between the domains such that the web server would be able to process authentication requests for either domain. Hopefully this makes a little sense.
Regards,
Brett