Qlik Community

QlikView Documents

Documents for QlikView related information.

Coming your way, the Qlik Data Revolution Virtual Summit. October 27-29. REGISTER

An introduction to QlikView Security using Web Tickets


An introduction to QlikView Security using Web Tickets

QlikView provides a range of features to allow users to login and view documents using Single Sign On with a range of different technologies. A high level document detailing all of the various security options in QlikView can be found here this article covers the “Web Ticketing” approach and provides an example to get started from.

This document is intended for QlikView professionals and requires some understanding of security technologies and a small amount of programming and web technologies.

So what is a Web Ticket and when would I use one? 

At a high level a QlikView Ticket is a way to seamlessly transfer the identity of a user from one system into QlikView.  This however can be useful approach in a number of scenarios so lets look at where you could use it.

Please note: Web Ticket was added to QlikView in version 11, an older version of a similar method was available prior to this but carried a number of limitations. From this point forward we will focus on QlikView 11 and Web Ticket.

          Scenario 1 – im already logged into a portal or website and now want to use QlikView

Let’s say you are logged into your company’s in-house built sales portal, when you logged in your gave this portal your user ID and password and the portal checked these against a database to be validated. Once logged in it creates a session for you and lets you look at all the pages you are permitted to.   This application now trusts who you are.

Now your company has added QlikView and they want users to be able to navigate between content on the portal server and content on the QlikView server but they want it to be seamless and you shouldn’t need to log in again, only the applications know nothing about each other and QlikView doesnt know about the database with user IDs in.

QlikView needs a way to trust the users session from portal when being passed over.  Using a the QlikView web ticket mechanism it is possible to set up a hand shake between the portal and QlikView so the portal can securely transfer a users session over.  QlikView has established a trust between itself and the Portal application to be able to identify the user when they browse to QlikView content.

          Scenario 2 – QlikView used in isolation, users stored in a database or LDAP

Lets assume we have list of user IDs and passwords held in a database or LDAP directory. QlikView doesn’t provide a “custom” login page that can handle the authentication of these users.

In this scenario a login page can be build which handles the user authentication part and then uses the Web Ticket mechanism to pass that user identitity into QlikView.  In this case QlikView has still set up a Trust with an application, as in the above case, only here that application is just a single web page.

          Other Scenarios

     There are a range of other scenarios where this approach could be used such as those listed below. Of course there is more than one way of           achieving security integration and using Web Ticket is just one method of achieving them:

      • Login with Group information/SAML – Web Ticket allows you to not only send the username but the membership of groups too.  This can make administration of what the user can subsequently see much easier
      • Login from dozens of online systems – eg Login with your Facebook ID, Google account, Salesforce.com account.  If you do not wish to hold any user credentials for QlikView you could rely on online sources for identity also

How does Web Ticket work

Below are the steps that typically occur when using ticketing, sometimes there can be more or less steps depending on the scenario.

    1. A new login page is created and its first task is to obtain the Identify of the user
      • If the page is being added to a web Portal or application this can easily get the current user ID from their active session
      • If the page is standalone it might provide a form to enter a user id and password and validate them first (this is the example provided below)
      • In either case a range of technologies could be used to do this.
    2. QlikView is set up so that it trusts this login page to pass over validated users (see below for options)
    3. The login page now makes a request to QlikView which says “I have a user I Trust called FRED, can I have a ticket for him”
    4. QlikView returns a ticket to the login page which takes the form of a long string and internally records the user that is represented by that ticket
    5. The login page now builds a URL to the QlikView server address adding the ticket into the URL, the user is then redirected to that URL
    6. When the user hits the QlikView server, it extracts the ticket checks its list of approved tickets and if its valid, the user is then sucessfully logged into QlikView as FRED

A couple of notes on web tickets

    1. A ticket once created it valid for 2 minutes, if it is not used in that time is destroyed
    2. Once a ticket is used to establish a session it cannot be used again.  Within that session a user can open several documents
    3. A web ticket can be used to open a single document or the QlikView Access Point
    4. Web Tickets can be used with features such as Clustering and Document chaining
    5. For information QlikView 10 and prior ticketing had the following limitations that are NOT present when using Web Ticket.
      1. Could only open one document, and could not use the Access Point
      2. Could not use clustering
      3. Could not support document chaining

How to implement Security using Web Tickets

To use web tickets there are two area that need to be address The Code in your login page and the Server Configuration.

The configuration of QlikView:

    • First of all, while not mandatory it can be easier to use IIS for the QlikView Web Server when working with ticketing. It may be required to host your login page anyway.
    • QlikView needs to be an Enterprise Edition Licence
    • QlikView needs to be running in DMS mode for security (see manual)
    • The QlikView web site in IIS needs to be set up to use Anonymous permissions – it will be expecting windows permissions by default – specifically it is the QVAJAXZFC directory that needs its permission changing.
    • QlikView needs to trust the code asking for the ticket.  There is a web page within the QlikView web server called GetWebTicket.aspx which handles requests for tickets, this will only return a ticket to a trusted user/process and this is identified using one of two options
      • Option 1 – use windows permissions
        • The code or process asking for a ticket needs to run as or provide a windows user identity. The user ID must be a member of the QlikView Administrators windows group on the QlikView server.
        • As the GetWebTicket page runs under the QVAJAXZFC directory on the web server and one of the above steps made the directory work with Anonymous users – for this page only – enable windows authentication in IIS
        • Now the Login page must authenticate itself when requesting a ticket as a windows user and that user must be a QlikView Administrator. In the attached example the login is hardcoded, however this could be configured in other ways
      • Option 2 – use an IP address white list
        • For some code technologies NTLM is not available or it may just not be appropriate to use it. For these scenarios a “white list” of approved IP addresses can be used rather than a named user.  Using this approach the GetWebTicket page will only return a ticket to code running from a specific IP address
        • To configure this option:
          • Open the web server config file from C:\ProgramData\QlikTech\WebServer\config.xml
          • Locate the line  <GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx" />
          • Replace it with the following specifying the IP address(s) of the web server(s) running the code

<GetWebTicket url="/QvAjaxZfc/GetWebTicket.aspx">



          • Save and restart the web server

The Code & Example:

The function to request a ticket is a fairly simple HTTP post command which returns a ticket as a string, this method can be used by a wide range of technologies.  The examples provided here use asp.net but it can easily be adapted for PHP, Java and others.

In its raw form the HTTP Post entry to the getwebticket.aspx page on the QlikView server looks like this:

     <Global method="GetWebTicket">





The response containing the ticket should look like this:   <Global><_retval_>ABC123XYZ567FGH456</_retval_></Global>

The above raw commands need to be embedded into the code for the login form, the attached example is intended to be a basic demonstration of how to use these commands using asp.net.  The example provides no actual logic to authenticate the user against anything but provides the framework to add it in.   The example takes the form of a simple login page asking for a user ID, password and optional groups, for cases where you already have the identity of the user then the UI from the example could be removed to give a seamless login from one system to another.

The first part of the example is the login form, this is just a simple form with three boxes.


Once the login button is clicked there is a Login function that is called.  This function in the example does nothing and always says the user is valid: here you would need to provide code to suit your environment, the example just trusts the entry automatically.

                loginOK = ValidateUser(username, password);

Following user validation the next function makes the HTTP post to request a web ticket.  The code requires the input of the URL of the QlikView server and in this case embeds a userid and password which has permissions to ask for a ticket (see notes on setting up QV trusts).

  ticket = getTicket(username, groups, ticketinguser, ticketingpassword);

Once the ticket irs retuned a URL is build and the user is redirected to either the access point or to a single document.



You should now be redirected to the QlikView AccessPoint and be logged in at the user specified in the form and see the documents that user is permitted to see.


This is a basic example of how to using the web ticket function.  I have written comments into the code example so that you may be able to follow through what is happening. I have also left the example as a single aspx file so you can edit it and use it with Notepad rather than visual studio.

I hope it is helpful in building you own login pages to QlikView using Web Ticket!!

Labels (2)
Not applicable

how the section acces of a QV document would look like in case I use this ticketing method?


Not applicable


We're having Qlikview Small Business server installed (11 SR1). Does this mean we cannot use the web ticket approach?

Are there than alternative for embedding qlikview document in portal?


Master II
Master II

That's right, ticketing is only available in Enterprise Edition Server as DMS mode is required.

Not applicable

Thanks Joe for the great article! I test successfully using this sample webticket code. However there is still 1 thing concerns me is that if I enter an invalid username in the form, I still be able to get a ticket and access to the accesspoint. I am very appreciate for any idea regarding this issue.

Thanks again!


In this case there is no such thing as an invalid user from a QlikView perspective.  QlikView is delegating the trust of identifying the user to a 3rd party application. In the example provided that trusted application is just a basic web page where you can type the name of user in - this is done purely for simplicity of the example.

In a real implementation of this the 3rd party app is something real like a web portal or login page.  If you dont have that and just want a secure login page for QlikView you can extend this example to put a basic login functionality on where it takes a user and password and validates its. If memory serves i think i even left a code line in there saying "here is where you validate the user" where you could place some code.

Not applicable

It is worth noting to use the functionality above, you need to deploy QlikView Enterprise Edition QlikView Server, This type of authentication will not work with Small Business Edition QlikView Server.

Thanks Steve

Not applicable

How this would be implemented on java based web applications?

We are using custom directory service connector.


I tried to work out the sample given. Made all configurations as in the tutorial. Still We are getting "invalid call" response for the request. What could be wrong? Also, the Group list xml is not used in the request xml. What is the group name? is it required param for the request? how to use it

Thanks for the help



Not applicable

Hi Joe,

I tried this approach , when i am using web ticketing i am getting a popup asking windows user credentials.

Can you please suggest how to avoid this.

Thanks in Advance

Abhishek Neti


Thank you Joe for sharing this nicely written article. This is very useful for beginner like me.

Previously I have successfully implemented this. However, there was a change of server and everything needs to be set up again. On my second attempt, the web ticket does not work anymore. Firstly, I have to use the white list IP address in the config file as mentioned in the 2nd option. Otherwise, the QlikView Web Server will always return empty ticket value. (The first option does not seem to work anymore.) Even with the white list IP address, QlikView is using Session CAL instead of names user to grant the ticket. Due to this session CAL, multiple user cannot login and view the various QVW at the same time. May I know if I have done anything wrong with the configuration that could lead to such problem?

The server is using IIS7 for QV web server.

Thank you in advance.

Version history
Revision #:
1 of 1
Last update:
‎2012-11-05 12:24 PM
Updated by: