Hey all,
Using DMS, Active Directory groups are not working.
I have QlikView 9 version 9.00.7320.7 (which was installed from the SR2 installer).
Yes, specifying the user exactly works but really, if I have a lot of reports and a lot of users per report, it is going to be annoying to have to manage users one at a time.
I go to the web site http://mysite/qlikview/index.htm logged in as UserA which is a member of GroupA and the report does NOT show up. It is my understand that AD groups should work.
Steps I have done:
- Service is joined to MyDomain.
- Created a service account on the domain.
MyDomain\serviceaccount - Changed all the QlikView services to use this account.
QlikView Directory Service Connector
QlikView Distribution Service
Qlikview Management Service
QlikView Publisher Command Center Service
QlikView WebServer
QlikViewServer
- Under Enterpise Management Console | System | Command Center | Directory Service Connectors | DSC@Hostname | Active Directory | General, the path is LDAP://mydomain.com and the service account, MyDomain\serviceaccount, is used.
- Under Enterpise Management Console | Documents | QVS@hostname, I browse to a QlikView report and click the Authorization tab and add MyDomain\GroupA. (I have also tried just GroupA.)
- Tested connecting to the web site http://mysite/qlikview/index.htm as a user in GroupA and the report does not show up.
Troubleshooting
1. Went here to obtain the DSC log:
C:\Documents and Settings\All Users\Application Data\QlikTech\DirectoryServiceConnector\Log
1/15/2010 11:05:06.8737197 Information WebService call. FunctionName=GetResources Input=
1/15/2010 11:05:06.8893837 Information WebService call. FunctionName=GetResources Took=15ms Result=<GetResources><GetResourcesResult><DSResource><DSResource><Id>14120041-2d3e-404d-b1a8-70afe305ac2a</Id><Name>avctadroot (LDAP://mydomain.com)</Name><Type>ad</Type><Path>LDAP://mydomain.com</Path><Enabled>True</Enabled></DSResource></DSResource></GetResourcesResult></GetResources>
1/15/2010 11:05:33.4711917 Information Start webservice call ResolveGroups for user MYDOMAIN\USERA
1/15/2010 11:05:33.4711917 Information Resolved 0 groups for MYDOMAIN\USERA:
1/15/2010 11:06:12.6155277 Information WebService call. FunctionName=GetResources Input=
1/15/2010 11:06:12.6311917 Information WebService call. FunctionName=GetResources Took=16ms Result=<GetResources><GetResourcesResult><DSResource><DSResource><Id>14120041-2d3e-404d-b1a8-70afe305ac2a</Id><Name>avctadroot (LDAP://mydomain.com)</Name><Type>ad</Type><Path>LDAP://mydomain.com</Path><Enabled>True</Enabled></DSResource></DSResource></GetResourcesResult></GetResources>
1/15/2010 11:08:33.8734797 Information WebService call. FunctionName=GetAvailableDSProviders Input=<_password>uuiizzoo</_password>
1/15/2010 11:08:33.8734797 Information Start webservice call GetAvailableDSProviders
1/15/2010 11:08:33.8734797 Information WebService call. FunctionName=GetAvailableDSProviders Took=0ms Result=<GetAvailableDSProviders><GetAvailableDSProvidersResult><DSProvider><Type>ad</Type><Name>Active Directory</Name></DSProvider><DSProvider><Type>custom</Type><Name>Custom Directory</Name></DSProvider><DSProvider><Type>local</Type><Name>Local Directory</Name></DSProvider><DSProvider><Type>nt</Type><Name>Windows NT</Name></DSProvider></GetAvailableDSProvidersResult></GetAvailableDSProviders>
1/15/2010 11:08:33.8891437 Information WebService call. FunctionName=GetAvailableDSProviders Input=<_password>uuiizzoo</_password>
1/15/2010 11:08:33.8891437 Information Start webservice call GetAvailableDSProviders
1/15/2010 11:08:33.8891437 Information WebService call. FunctionName=GetAvailableDSProviders Took=16ms Result=<GetAvailableDSProviders><GetAvailableDSProvidersResult><DSProvider><Type>ad</Type><Name>Active Directory</Name></DSProvider><DSProvider><Type>custom</Type><Name>Custom Directory</Name></DSProvider><DSProvider><Type>local</Type><Name>Local Directory</Name></DSProvider><DSProvider><Type>nt</Type><Name>Windows NT</Name></DSProvider></GetAvailableDSProvidersResult></GetAvailableDSProviders>
1/15/2010 11:08:44.8852717 Information WebService call. FunctionName=GetResources Input=
1/15/2010 11:08:44.8852717 Information WebService call. FunctionName=GetResources Took=0ms Result=<GetResources><GetResourcesResult><DSResource><DSResource><Id>14120041-2d3e-404d-b1a8-70afe305ac2a</Id><Name>avctadroot (LDAP://mydomain.com)</Name><Type>ad</Type><Path>LDAP://mydomain.com</Path><Enabled>True</Enabled></DSResource></DSResource></GetResourcesResult></GetResources>
1/15/2010 11:08:44.8852717 Information WebService call. FunctionName=RemoveResource Input=<_id>14120041-2d3e-404d-b1a8-70afe305ac2a</_id>
1/15/2010 11:08:44.8852717 Information WebService call. FunctionName=RemoveResource Took=0ms Result=<Global method="RemoveResource" key="m+vCmuarDxaxAmtCYwyWOILnHofiQ43T"><_id>14120041-2d3e-404d-b1a8-70afe305ac2a</_id></Global>
1/15/2010 11:08:44.9009357 Information WebService call. FunctionName=SetupResource Input=<_id>53559191-eaa8-4851-ad99-b5f334d61d24</_id><_type>ad</_type><_path>LDAP://MYDOMAIN.COM</_path><_username>Mydomain\qlikview</_username><_password>qqm74OqsuXToO13KIojdmQ==</_password><_enabled>true</_enabled><_settings><StringDictionarySerializer /></_settings>
1/15/2010 11:08:44.9009357 Information Start webservice call SetupResource with path LDAP://MYDOMAIN.COM
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Looking up RootDSE: LDAP://MYDOMAIN.COM/RootDSE
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Looking up node: LDAP://MYDOMAIN.COM/CN=Partitions,CN=Configuration,DC=mydomain,DC=com
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Finding nCName: DC=mydomain,DC=com
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Searching for netbiosname...
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Search hit: LDAP://MYDOMAIN.COM/CN=AVCTADROOT,CN=Partitions,CN=Configuration,DC=mydomain,DC=com with netbiosname avctadroot and ncname: dc=mydomain,dc=com
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Adding netbiosname avctadroot as primary domain qualifier
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Search hit: LDAP://MYDOMAIN.COM/CN=MYDOMAIN,CN=Partitions,CN=Configuration,DC=mydomain,DC=com with netbiosname mydomain and ncname: dc=corp,dc=mydomain,dc=com
1/15/2010 11:08:44.9009357 Information (ActiveDirectory.ActiveDirectoryProvider) Adding netbiosname mydomain as domain qualifier
1/15/2010 11:08:44.9009357 Information WebService call. FunctionName=SetupResource Took=0ms Result=<SetupResource><SetupResourceResult>avctadroot (LDAP://MYDOMAIN.COM)</SetupResourceResult></SetupResource>
1/15/2010 11:09:29.5433357 Information Start webservice call ResolveGroups for user MYDOMAIN\USERA
1/15/2010 11:09:29.5433357 Information Resolved 0 groups for MYDOMAIN\USERA:
Looks like it is resolving 0 groups for MYDOMAIN\USERA even though this user is in eight groups on the domain including the group that was added to the document.
Is there a configuration step I am missing?
Oor is this a known bug?
Are there any troubleshooting steps that are missing?
Note: I wouldn't mind using active directory users one at a time if the interface wasn't so poorly designed so you can only add one user at a time. If there was a way to copy and paste a list of users, I could make do. Who ever is designing the interface for the server's management web pages is not getting the job done. Also, integration with Active Directory is probably going to be your #1 authentication mechanism and so you probably ought to get a little more testing around it and design the setup process to be easier.
