Qlik Community

QlikView Management

Discussion Board for collaboration on QlikView Management.

phersan_sme
New Contributor III

GetTicket Authentication still asking me for credentials to log in

Hey all, I need your assistance.

I am currently using Qlikview 10 SR2 with IIS as my webserver. I am also using a Custom Directory with a prefix of TEST\ for all my users. (ex: test\johndoe, test\user2, etc)

I've written some code in VB.NET that acts as a landing page, and gets a ticket for authentication from the QlikView Server. You can find the code snippet I used here: http://community.qlik.com/message/117147#117147

So the main point of the code is that it makes a request for a ticket in the following structure: '<Global method="GetTicket"><UserId>' + username + '</UserId></Global>'

And the server replies with a ticket like so: 510EA55C2DB723DC04C16C6FB3CDAB24F3390792

Now, you're supposed to be able to use that ticket as a method of authentication for the user that you passed into the GetTicket request.

My code is running fine and I can retrieve a ticket without any problems.

However, when I try to access my AccessPoint by using the ticket parameter, it still asks me to log in. It's not an IIS authentication issue because when I change the log in settings in the QEMC to the alternate web form, it'll bring up the alternate web form asking me to log in; if I change it to the regular log in using browser authentication, the browser prompts me for a user name and password. If I type in my custom users, I can log into the AccessPoint.

I've also tried opening a specific document with a ticket and it still asks me to log in.

http://localhost/QlikView/?ticket=510EA55C2DB723DC04C16C6FB3CDAB24F3390792

http://localhost/QvAJAXZfc/AccessPoint.aspx?open=&id=QVS@qvcustom|AP/SalesTest.qvw&client=Ajax&ticket=510EA55C2DB723DC04C16C6FB3CDAB24F3390792

The weird thing is, is that I had it working before the weekend where it would log me into the AccessPoint by using nothing more than my ticket, and it suddenly stopped working this week when I booted up my server.

I've set my security for DMS authorization, authentication for Custom Users with a prefix of TEST\. Like I said, I had it working, and now it's stopped when I rebooted my system on the weekend. Did any QlikView config files change once I rebooted? What could cause something to stop working? I've wasted plenty of time playing with the QEMC already, did I miss something? Do I need to add anything to my code or my IIS settings?

I'm retrieving the tickets just fine, so why isn't the QlikView server accepting them?

Any thoughts are appreciated. Thanks.

17 Replies
phersan_sme
New Contributor III

GetTicket Authentication still asking me for credentials to log in

Just to clarify what I'm doing at the moment:

1. I built a webpage that a user inputs his Custom Username

2. the VB code passes a GetTicket call to the QlikView server using the username typed in by the user (ex: TEST\user1)

3. the QlikView server returns a ticket that should authenticate the user (ex: ticket=510EA55C2DB723DC04C16C6FB3CDAB24F3390792 would be tied to the user TEST\user1)

4. I pass that ticket into a URL to open up the AccessPoint or a QVW (ex: http://localhost/QlikView/?ticket=510EA55C2DB723DC04C16C6FB3CDAB24F3390792 or

http://localhost/QvAJAXZfc/AccessPoint.aspx?open=&id=SalesTest.qvw&client=Ajax&ticket=510EA55C2DB723DC04C16C6FB3CDAB24F3390792)

5. I get prompted for a user name and password, when I should already be authenticated.

Like I've mentioned, I had it working before, but when I booted up my machine this week, this log in issue surfaced.

I've noticed that my WebServer config.xml file has the following attribute

<QvsAuthenticationProt>Negotiate</QvsAuthenticationProt>

Do I want it to be negotiate? Would that have anything to do with it?

danielrozental
Honored Contributor II

GetTicket Authentication still asking me for credentials to log in

The form asking you for your logins credentials, is it a qlikview's or windows/IE form?

phersan_sme
New Contributor III

GetTicket Authentication still asking me for credentials to log in

Thanks for the reply,

The form depends on the settings I choose in the QEMC found in: System > Setup > QlikView Web Servers > Authentication > Login Address

If I set it for Default login page (browser authentication), then IE asks me for the credentials

if I set it for Alternate login page (web form), then it redirects me to the QlikView login webpage that looks like this:

Login.png

Like I said, i'm using a custom directory in QV10 where you can create your users right on the QEMC. This is not AD or Local Windows users.

I want to be able to use the ticket to authenticate me, not username/password. It's strange because I'm looking at the logs from the web server and it's dishing out a ticket and doing group lookups on my user. So it's finding the right user when it assigns a ticket... so why can't I navigate to a document/accesspoint using the ticket parameter? I was able to last week.

FROM WEBSERVER LOG FILE:

6/1/2011 16:37:02.1000342          Information          <Global method="GetTicket"><UserId>AXIS\phersan</UserId><GroupList><string>AXIS\Admins</string><string>AXIS\Users</string></GroupList><GroupListIsNames>true</GroupListIsNames></Global>

6/1/2011 16:37:02.1000342          Information          <Global><_retval_>6CECCCF1FE8ADACBF12A7743AD47CD1EB938D341</_retval_></Global>

I bolded my groups, meaning it found my user in the directory when I requested a ticket. And I also bolded the ticket, meaning it was able to request and retrieve one.

danielrozental
Honored Contributor II

GetTicket Authentication still asking me for credentials to log in

If you changed security settings on the IE virtual folder or the account set as anonymous there doesn't have permissions to the c:/program files/qlikview/web folder IE will ask for your credentials.

Also, you probably already checked this, QV Security must be set as DMS for tickets to work.

phersan_sme
New Contributor III

GetTicket Authentication still asking me for credentials to log in

yeah, I also thought that could be it... but I checked all my anonymous permissions, it has all the right permissions to the directories. As a sanity check, I even added the anonymous user to the administrators group and QV admin group. Still redirects me to the login page.

And I do have the QV Security set to DMS.

I'm out of ideas...

danielrozental
Honored Contributor II

GetTicket Authentication still asking me for credentials to log in

Are you using IUSR or a Windows user for the anonymous authentication, maybe that user's password changed or the user is locked?

phersan_sme
New Contributor III

GetTicket Authentication still asking me for credentials to log in

I've tried with the IUSR account, and I've also tried switching it to a windows admin user as the anonymous, as a sanity check.

I think it's some setting in QlikView or IIS that I'm missing, that is not allowing me to authenticate with a ticket. Something's getting blocked or is set incorrectly. I've tried playing around with the IIS security settings on the Authenticate.aspx page, AccessPoint.aspx page, etc. I've tried a lot of combinations of settings and it still redirects me to the login web form when I try to pass in the ticket.

danielrozental
Honored Contributor II

GetTicket Authentication still asking me for credentials to log in

I might be missing something here or QV10 might have some new features I don't know about but I don't believe you can use a ticket to access the access point.

Ticketing, at least up to QV9, could only be used to access applications directly, you should try that out.

If you're using custom users from the QEMC I don't think there is a way to access the AP other than logging in from the login page.

phersan_sme
New Contributor III

GetTicket Authentication still asking me for credentials to log in

I wasn't sure that you could access the accesspoint with a ticket either, but from the QV10 server reference manual, it shows the following example:

Client Usage:

- The Windows client can use tickets (via QVP url) or negotiate authentication

- The AJAX client must use the ticket parameter, e.g.

http://localhost/salesdemo/AJAXzfc/?ticket=510EA55C2DB723DC04C16C6FB3CDAB24F3390792

Either way, I've tested both the accesspoint and documents, and they both still prompt me for more credentials.

I could have sworn I had this working for a full day before I turned off my VM over the weekend and opened it back up this week. If the issue is that I'm using the custom directory, what would you suggest I use? A Custom ODBC or LDAP directory?

Community Browser