Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Not applicable

QVS 9.0 - DMS, AD, and groups

Hi all,

For a customer I've tried setting up a QlikView Server 9 instance with authentication through DMS today, using Active Directory as the directory service for the Directory Service Connector.

The problem right now is that I can grant access to single users in the 'User Documents' page of the Enterprise Management Console (which suggests the user can be found in AD), but when granting access to a group that this user belongs to the document does not show up in the Access Point (suggesting that the user cannot be resolved to this group). I've tried both the plain group name, and domainname\groupname notation.

Any idea what I'm doing wrong here?

Regards,

Martijn ter Schegget
CND Development

PS: it's past 10pm local time right now, I'll be reading any answers tomorrow morning.

19 Replies
biester
Specialist
Specialist

Hi Martijn,

well, I don't know if it might have something to do with your problem, but I'm experiencing heavy trouble with user rights from NTFS (not only via access point) especially when groups (or nested groups, so to say) are involved - see http://community.qlik.com/forums/p/19859/75854.aspx#75854 .

It's now about a week that support told me they are waiting from development whether this is a bug or a WAD (!!!!) - nothing heard since. But I'm afraid there ARE rights issues in QV 9 (with things that certainly worked in QV 8.5) ; so also YOUR problem might be caused by them.

Rgds,
Joachim

Not applicable
Author

Hi all,

Short update on the situation: we've decided to work around it and use (classic) NTFS based security. Besides that, we found out that for users the username must (partially) match the user linked to the document in the User Documents -> Authorization tab; this suggests that DMS does not even perform a lookup on AD for these names but just uses a string match.

For group lookups we got authentication errors in the Directory Service Connector log, suggesting a problem authenticating to AD. The same user can query AD in other ways, so the tech support guys at this customer site suggested that the AD server path should maybe include a path within the AD.

Anyone here has experience using DMS for matching users/groups against AD? And could you share some details on e.g. what value should be used for the 'path' value in the DSC Active Directory settings?

Thanks in advance!

Martijn ter Schegget
CND Development

Not applicable
Author

Here is some information that may be of help to you.

I am experiencing a similar issue with AD group membership and QVS 9.

After a few calls with QV we came up with this.

Environment - QVS 9, no publisher.

Make sure all services run under a domain admin account and not local admin account

Without publisher licenses the DCS is actually not utilized. Remove user/password. They mentioned keeping the default path (not sure why).

Assign Document Authorization to your group domain\groupname

Restart the services (seems QVS and Webserver are the important ones here)

Group resolution should happen now.

If new users are added to the group there is a delay (15 minute default), due to QV caching group membership of users.

Hope this helps

Not applicable
Author

Hello andyw715,

I'm interested by this configuration but I have some problem to put it in place.

All Qlikview services run with a domain admin account, and I have put domain groups in the authorization document but I don't know if we must configure "Active directory" in qemc?

Must do stop Directory connector?

We must use "windows authorization" or "qlikview authorization"?

Regards,

Loic

Not applicable
Author

Loic,

I was told, since I'm not using Publisher, that Directory Service Connectors don't have to be setup. The service is running on my server, but nothing is configured via Enterprise Console.

I haven't tried "windows authorization". My configuration uses DMS.

-Andy

Not applicable
Author

Hello,

I'm experienced the same problems as mentioned above. We're using a Server and Publisher and configured "DMS authorization".
The DMS seems configured correctly because users are recognzied as they login into the AccessPoint and get their Documents. Also the Domain is listeted in the searchscope. All Users and Groups are found by the search-function of the Enterprise Console.

If I use groups-based auth instead of users-auth the endusers don't get the documents. I tried different things to get this workin' with no luck:

- different syntax ( name, domain\user ...)
- changed the local-user to domain-user the services runs with

Has someone an idea why this problem occurs?

Not applicable
Author

The same problems for me... If we mantain document authorizations using Windows Groups and no documents are shown in Access Point

lhr
Employee
Employee

if you are running the QVS in DMS mode the DSC needs to be configured for group authorization to work (e.g., the QVS utilizes the DSC for group resolution). check to following things in the management console:

* that active directory is set up on the DSC (normally this is done automatically, if not there is a little button next to the path field to have the DSC suggest a default path).

* if the QVS and the DSC are running on different machines, verify that the correct URL for the DSC is set in the QVS settings (it defaults to localhost:4730/..., just change to the correct machine name).

in windows, verify that the account running the QVS is member of the "Qlikview Administrators" group on the machine running the DSC.

please note that (even failed) group lookups is cached for 15 minutes on the QVS, so while experimenting you might need to restart the QVS.

hope this helps

/lars

Not applicable
Author

Hi Lars,

I already checked all points in your reply; the solution turned out to be quite different:

Lookups using Active Directory (through DMS and the Directory Service Connector) are broken in QV 9.0 build 9.0.7119.4! (As confirmed per e-mail by QlikTech support.) Upgrading to SR1 (build 9.0.7257.6) or later will fix this problem (at least it did for me); support suggested that I upgrade to SR2 (released today) because it fixes some additional bugs.

Thanks for the additional tips in your reply; they might help others solve similar problems.

With regards,

Martijn ter Schegget