For a customer I've tried setting up a QlikView Server 9 instance with authentication through DMS today, using Active Directory as the directory service for the Directory Service Connector.
The problem right now is that I can grant access to single users in the 'User Documents' page of the Enterprise Management Console (which suggests the user can be found in AD), but when granting access to a group that this user belongs to the document does not show up in the Access Point (suggesting that the user cannot be resolved to this group). I've tried both the plain group name, and domainname\groupname notation.
Any idea what I'm doing wrong here?
Martijn ter Schegget
PS: it's past 10pm local time right now, I'll be reading any answers tomorrow morning.
well, I don't know if it might have something to do with your problem, but I'm experiencing heavy trouble with user rights from NTFS (not only via access point) especially when groups (or nested groups, so to say) are involved - see http://community.qlik.com/forums/p/19859/75854.aspx#75854 .
It's now about a week that support told me they are waiting from development whether this is a bug or a WAD (!!!!) - nothing heard since. But I'm afraid there ARE rights issues in QV 9 (with things that certainly worked in QV 8.5) ; so also YOUR problem might be caused by them.
Short update on the situation: we've decided to work around it and use (classic) NTFS based security. Besides that, we found out that for users the username must (partially) match the user linked to the document in the User Documents -> Authorization tab; this suggests that DMS does not even perform a lookup on AD for these names but just uses a string match.
For group lookups we got authentication errors in the Directory Service Connector log, suggesting a problem authenticating to AD. The same user can query AD in other ways, so the tech support guys at this customer site suggested that the AD server path should maybe include a path within the AD.
Anyone here has experience using DMS for matching users/groups against AD? And could you share some details on e.g. what value should be used for the 'path' value in the DSC Active Directory settings?
Thanks in advance!
Martijn ter Schegget
Here is some information that may be of help to you.
I am experiencing a similar issue with AD group membership and QVS 9.
After a few calls with QV we came up with this.
Environment - QVS 9, no publisher.
Make sure all services run under a domain admin account and not local admin account
Without publisher licenses the DCS is actually not utilized. Remove user/password. They mentioned keeping the default path (not sure why).
Assign Document Authorization to your group domain\groupname
Restart the services (seems QVS and Webserver are the important ones here)
Group resolution should happen now.
If new users are added to the group there is a delay (15 minute default), due to QV caching group membership of users.
Hope this helps
I'm interested by this configuration but I have some problem to put it in place.
All Qlikview services run with a domain admin account, and I have put domain groups in the authorization document but I don't know if we must configure "Active directory" in qemc?
Must do stop Directory connector?
We must use "windows authorization" or "qlikview authorization"?
I was told, since I'm not using Publisher, that Directory Service Connectors don't have to be setup. The service is running on my server, but nothing is configured via Enterprise Console.
I haven't tried "windows authorization". My configuration uses DMS.
I'm experienced the same problems as mentioned above. We're using a Server and Publisher and configured "DMS authorization".
The DMS seems configured correctly because users are recognzied as they login into the AccessPoint and get their Documents. Also the Domain is listeted in the searchscope. All Users and Groups are found by the search-function of the Enterprise Console.
If I use groups-based auth instead of users-auth the endusers don't get the documents. I tried different things to get this workin' with no luck:
- different syntax ( name, domain\user ...)
- changed the local-user to domain-user the services runs with
Has someone an idea why this problem occurs?
if you are running the QVS in DMS mode the DSC needs to be configured for group authorization to work (e.g., the QVS utilizes the DSC for group resolution). check to following things in the management console:
* that active directory is set up on the DSC (normally this is done automatically, if not there is a little button next to the path field to have the DSC suggest a default path).
* if the QVS and the DSC are running on different machines, verify that the correct URL for the DSC is set in the QVS settings (it defaults to localhost:4730/..., just change to the correct machine name).
in windows, verify that the account running the QVS is member of the "Qlikview Administrators" group on the machine running the DSC.
please note that (even failed) group lookups is cached for 15 minutes on the QVS, so while experimenting you might need to restart the QVS.
hope this helps
I already checked all points in your reply; the solution turned out to be quite different:
Lookups using Active Directory (through DMS and the Directory Service Connector) are broken in QV 9.0 build 9.0.7119.4! (As confirmed per e-mail by QlikTech support.) Upgrading to SR1 (build 9.0.7257.6) or later will fix this problem (at least it did for me); support suggested that I upgrade to SR2 (released today) because it fixes some additional bugs.
Thanks for the additional tips in your reply; they might help others solve similar problems.
Martijn ter Schegget