Good morning, all. I have spent this entire morning (and last Friday day) attempting to get a QV Install using Active Directory to allow access to users.
Originally the configuration was for local users on the QVServer to have access to the QVSystem. Any user on the local system was granted access to the access point. We have since switched gears as the application that we administer has build in ability to reset/sync AD passwords which would SSO our app and qlikview. Since our app can talk to AD, we want to integrate this Active Directory account in to the Qlikview system.
So far, I have configured QVAdmin side to use the Active Directory and LDAP DSC. I can query users in AD using the Users portion of the admin console. The problem we are having is that these accounts are not allowed to login to the access point. We are prompted with the user/password field, however no combination of FQDN\UserName or UserName and Password will work. I do NOT however see any place in the Admin Console to delegate rights out. I have read something in the "help docs" about "Section Access" tab under users but DO NOT have this button, only users. Is something missing here?
What step am I skipping here? There has to be some group or setting that points to AD and says "YES ALLOW THESE GUYS ACCESS". I have added the TEST account I am using to the local users group on the server, this doesn't allow access. I DO have an Admin AD account that IS working, however I cannot determine what is allowing it to get access. I have configured this test user account exactly the same as the WORKING AD Account, yet the mirrored account does get access. I am thinking something is specifically setup on the QVM Access console.
My settings INI shows "UseDomainAccount=1" in the Qlikview ProgramData folder.
If I create ANY local account on the QVServer, that account will be granted access to login via the AP. By default, these new accounts only get the local "Users" group from the server. I have added my Active Directory "test account" to that group, still no access.
- I can confirm am talking to AD, I can see groups and users when I hit the "Users" tab in QVAdmin console and query *.
- I can login with local users (to the qvserver), not AD.
- I attempted to map a CAL to a user from AD using the System --> Licenses --> CAL options to add a user from AD. Still no access granted.
- I have tweaked some configs to point at the LDAP://ou=,dc= and this is now pulling in users that show "DSP1\Username" as well as "DomainName\UserName". This is a new issue since I removed the hostname from the ldap connection string.
There has to be a switch I am missing that will allow the AD access, any suggestions? Clues? Is this done in the QVAdmin console or do I need to create a group in AP under this specific locale that the LDAP connection string points to?
Please help us, we have spent 12+ man hours on configuring this install.
I assume the Server is a member of your AD - yes. This is added to the domain, however since this is a "multi domain" setup, the computer object is not located in this particular OU's computer (container). For example, domain top level --> environments --> wfec is where we are pointing the QVS to. The computer objects live in Top Level --> Computers --> Servers
The Group Domain Users should (automatically) been added to the local Users group. This is already done. Screenshot attached
Are you able to assign CALs to your domain users ? I believe so... Screenshot attached
Are you running QVWS or IIS ? QVWS
In case of QVWS, could you share the settings of your QVWS settings (General and authentication): Screenshot attached
Also want to add that I am not mapping any CAL's when adding a local user to the server but they still are granted login rights.
Problem looks like Seth added domain groups\users to 'local users groups'.
Assigning security through 'LOCAL GROUPS', doesn't work in distributed QlikView environment. QlikView recommends to not use local groups for assigning permissions. You have few options here, adding user's individually or through Domain groups or set to 'All Authenticated users'. These are done through Console>Task settings.