we work on a QlikView Enterprise Edition Server 11.2 running with IIS and NTFS (Active Directory) Authentication.
We have 2 kind of users:
We, obviously, have SSO problems with the second type of Users.
They access to QlikView Documents through a Web Portal where they log in with an Active Directory User.
They reach QlikView Document using a dynamic link to "opendoc.htm" standard page.
I know "opendoc.htm" can receive USERID and PASSWORD parameters, but they are "Section Access" parameters.
The Web Portal could pass the Active Directory credentials to "opendoc.htm"... But I don't know how opendoc.htm can (if it can) receive the Active Directory User by parameters.
Someone had (and solved) same problem?
Thanks in advance!
Thanks Rajesh Pillai, the problem is only how to pass to "opendoc.htm" the Active Directory User to open document without authentication popup when user is out of the intranet...
The only way (but not the best), I think, is manually customizing Authentication.aspx page...
The webserver can't authenticate them automatically as they are outside the domain. If the external users aren't AD users you need a second webserver and use DMS file authorization (for all users) as they do not have NTFS file permissions.
Also, I recommend you to try without the Section Access to see if it helps. Might want to use USERID on Section Access instead of NTNAME.
Hi Erik Gustafsson,
All the users are AD Users, but some of them access from outside the Intranet (SalesReps for example).
There is no Section Access problem: the only issue is the authentication pop-up when a user access from the Internet: my goal could be a way to pass the AD user name & password to the "direct" link, like Section Access USERID and PASSWORD parameters...
All the External Users access to the Qlik Documents by a direct link, like this:
How can the domain trust the external users when they are not logged in from a secure place? You cannot pass the username and password in the URL as you need to be authenticated when entering the QlikView AccessPoint. So if the webserver can't automatically authenticate them, everything works as expected, as it shouldn't. They are outside the domain boundaries and thus is not to be automatically trusted, it would breach security. I would look into some kind of VPN solution or DirectAccess to configure a seamless login.
external users are logged in to a web portal with their credentials and they have a link to the QV Document on the homepage...
My hope is clicking the link and accessing to Document without entering again user & password...
Thanks in advance
If you indeed have a web portal passing credentials and a separate webserver to log these users in, then it is very possible. We have many customers using both Header and WebTicket solutions to make a SSO solutions possible. This might be a bit to in-depth to discuss here, but attached is some documentation on customized authentication. Essentially as long as the webserver can authenticate them automatically (by some server providing their credentials) it can work fine. Usually you need two webserver services as one handles the standard Active Directory NTLM login and one webserver handles customized header/WebTicket authentication. We do not have any features like virtual proxies or similar in the webserver, possibly this can be achieved by IIS, but not sure. There are no extra license costs for an extra webserver, so if there is a dedicated extra machine this should be viable.