Qlik Community

QlikView Documents

Documents for QlikView related information.

QlikView 11.2 - Authenticate against LDAP via login form

jsn
Honored Contributor

QlikView 11.2 - Authenticate against LDAP via login form

The QlikView authentication API is designed to be used by the Authenticate.aspx web page. The web page can be customized using IIS to handle all three steps of sending, validating, and transferring a user’s credentials to the QlikView web session.

This is typically necessary when there is an existing user repository (for example, LDAP or a database), but no existing web‑based authentication server that can be used to integrate with it. In this case, the web‑based authentication system has to be created and it may be simpler to create it as part of the QV web tier, as opposed to making a separate authentication system.

This solution is also suitable in integrations with cloud-based authentication systems, where it is not possible to configure the authentication system to call the QlikView platform in a custom way (that is, using headers or WebTicket). In this scenario, the QlikView web tier has to be adapted to the requirements of the cloud system. A good example of this is salesforce.com.

The development environment for Authenticate.aspx is supplied in .NET languages.

Security

The procedure for logging in is as follows:

  1. The user logs in to IIS using any authentication system. This typically means that the user ID and password are sent to IIS, but it may also mean that the user’s fingerprint or a one‑time token from a cloud authentication provider is sent.
  2. The customized Authenticate.aspx checks the details towards an external security system (for example, an LDAP server, an SAML identity provider, or salesforce.com).
  3. If successful, Authenticate.aspx transfers the user information (potentially including groups) to the QVS.

Example

Attached below is an example of a custom login form leveraging on a modified Authenticate.aspx page to perform a user authentication against LDAP.

The DSC should be configured in QlikView Management Console to perform authorization of the user once passed to AccessPoint.

The DSC should also be able to handle the group resolution (although the Authentication API allows passing of groups to QlikView from LDAP). Do take note when using the example to ensure all the LDAP syntax is correct. The main things to look for there is having the correct connection string (easy to validate via QMC or using LDAP Administrator) and the correct search filter to find your user.

Note: If all your users are in the same OU you can hardcode that part and just use the username from the login form, essentially skipping the user search and just try to log in directly to the LDAP server with the user provided credentials to test the authentication. If you have users spread over OUs you'll need to look up the user to build the correct username for testing the user authentication.

I've commented up the code in the attached example for easy understanding.

Labels (3)
Attachments
Comments
Partner
Partner

Hi Johannes,

Thanks for your article.

I’m going to make authentication for the Open LDAP users to the QV server and trying to implement your recommendation from this article.

When I’m trying to use your Authenticate.aspx then I receive Error message:

Compiler Error Message: CS0234: The type or namespace name 'DirectoryServices' does not exist in the namespace 'System' (are you missing an assembly reference?)

As I understand there should be the  System.DirectoryServices.dll in the “bin” directory.

But there is no such file in the C:\Program Files\QlikView\Server\QlikViewClients\QlikViewAjax\bin

Could you, please, to attach the necessary System.DirectoryServices.dll file?


jsn
Honored Contributor

Hi Evgenij,

It sounds like you need to add a reference to DirectoryServices in your web.config file, along the lines of:

<add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>

0 Likes
Partner
Partner

Hi Johannes ,

Thanks for your answer.

Could you, please, indicate in which line and what exactly file  web.config (location) I should add this line?

0 Likes
jsn
Honored Contributor

Hi Evgenij,

You need a web.config file at the root of an ASP.NET web app.

Here's my sample web.config file:

<configuration>

  <appSettings/>

  <connectionStrings/>

  <system.web>

  <compilation debug="true">

  <assemblies>

  <add assembly="System.Core, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

  <add assembly="System.Data.DataSetExtensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

  <add assembly="System.Design, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>

  <add assembly="System.Web.Extensions.Design, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

  <add assembly="System.Windows.Forms, Version=2.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/>

  <add assembly="System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B03F5F7F11D50A3A"/>

  <add assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

  <add assembly="System.Web.Extensions.Design, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>

  <add assembly="System.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089"/></assemblies>

  </compilation>

  </system.web>

</configuration>

0 Likes
Partner
Partner

Hi Johannes,

Thanks for your reply.

Let me describe from the very beginning everthing what I made.

I’m trying to setup Authorization  of the Open LDAP  users to the QlikView Server.

I’m using QVS+IIS installation. I placed Your file Authenticate.aspx to the directory  C:\Program Files\QlikView\Server\QlikViewClients\QlikViewAjax and replaced web.config with you’re the one in the same directory.

Also I replaced the FormLogin.htm in the directory  C:\Program Files\QlikView\Web with yours.

Now I receive next error message:


“System.Runtime.InteropServices.COMException (0x8007203A): The server is not operational. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_NativeObject() at ASP.authenticate_aspx.authUserAndGetGroups(String userid, String password) in c:\Program Files\QlikView\Server\QlikViewClients\QlikViewAjax\Authenticate.aspx:line 55”


Could you tell me, please - what am I missing?

0 Likes
jsn
Honored Contributor

Hi Evgenij,

It sounds like your setup is ok but your authentication to your LDAP fails.

Take a look inside Authenticate.aspx on rows 46 - string ldap_server & row 50-52, user credentials for account doing a lookup. If you don't know all the details it can be useful to have an LDAP browser like Softerra LDAP Administrator & Browser .

Basically what happens at this part in the code is that you have a preset account that logs on to your LDAP, it then searches for the user credentials that the user provided in the loginform.htm. If the user was found, the code will try to log in to the LDAP using the user + the password that was provided in the loginform.htm.

If the user is successfully authenticated by the LDAP server, the user will be redirected to the access point. Do note that you'll want to set up your LDAP under the QMC as a Directory Service Connector as well since you'll probably want to use the user names, groups etc. for authorization (i.e. what apps should the different users see).

Hope this helps mate!

Cheers,

Johannes

0 Likes
prabhuappu
Contributor II

Hi Johannes,

We tried this authentication and it worked. But the user couldn't see some of the application. We anlysed the issue and found that

  • if the access is provided directly to the user, using his AD id the applications are visible.
  • If the access is provided to the AD group then the application is not showing up in access point even user is a member of that AD group

We tried assign the group name as in the below code. But it is not working.

List<string> groups=new List<string>();

groups.Add("AD_GROUP_NAME");

IUser user;

user = new NamedUser("DOMAIN\USERID", groups, true);

QlikView.AccessPoint.User.GenericAuthentication(context, user);

Response.Redirect("/QlikView/index.htm");

How to overcome this. Thanks in Advance.

Regards,

Prabhu Appu

0 Likes
Partner
Partner

Dear Johannes,

I was trying to implement the solution mentioned above.

However ,I am kept on getting the  same error as showin above like "line 56"

System.Runtime.InteropServices.COMException (0x80005000): Unknown error (0x80005000) at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_NativeObject() at ASP.authenticate_aspx.authUserAndGetGroups(String userid, String password) in c:\Program Files\QlikView\Server\QlikViewClients\QlikViewAjax\Authenticate.aspx:line 56

I understand that some syntax is worng.

Can you please provide me the actual modified aspx page used woth OPEN LDAP syntax so that I can build the logic.

string ldap_server =
"ldap://dc50-emea-dc01.emea.teo.earth:389/DC=teo,DC=earth,DC=emea"; //Check the LDAP server connection syntax

   //Connect as a set user to perform a lookup of the userid provided in the login form
   DirectoryEntry nUser = new DirectoryEntry(ldap_server);
   nUser.Username = "uid=Username,ou=OUGROUP,o=ORGANIZATION"; //Check the LDAP syntax for your LDAP source
   nUser.Password = "PASSWORD";

What should I give as Username and PASSWORD . what is 0u=,o=???

0 Likes
Partner
Partner

Dear Prabhu,

I was implementing the same solution but keepon getting the line 56 error aspx page.

Would it be possible for you to share the aspx page with correct syntax to be used.

0 Likes
Version history
Revision #:
1 of 1
Last update:
‎2015-10-26 10:08 PM
Updated by:
jsn