Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
marc_behrens
Partner - Contributor III
Partner - Contributor III

Section Access, AD Groups and Kerberos

Hi erverybody,

yesterdy I had the following problem and because I could not find something that described my problem properly, I thought I should post the solution, just in case someone else might be looking for it.

I was trying to implement section access to an existing qvw-document just as it's described in every tutorial.

LOAD * INLINE [

     ACCESS, NTNAME, GROUP
     ADMIN, domain\grp_admin, 0
     USER, domain\grp_user, 1


]
;

(The "GROUP" Field is for datareduction)

There was just one thing- it did not work... If I changed the "NTNAME" information from ad-groups to ad-usernames like

LOAD * INLINE [

     ACCESS, NTNAME, GROUP
     ADMIN, domain\username, 0
     USER, domain\grp_user, 1


]
;

it worked just fine. First I thought there would be a problem with the way QlikView gets the group information from the ad-server but I was missing the fact that our domain is using kerberos for authentification, which caused some (at first glance) weired effects.

1) I did not have access at all to the document, if I used the first script-part.

2) The next day, I had access, but if I changed my group membership, my rights in the qvw did not change

The reason was / is, that a kerberos-token does have a specific duration and changes made in the actice directory do not take effect, until a new token is handed out.

1) I did not have access to the document, because I was developing the application and created the ad-groups while I was logged on to the development machine. Therefore (from a kerberos point of view) I was not a member in the newly created groups, even if I added myself on the domain controller.

2) The next day, I got a new token and had access, but it did not change if I changed my group membership.

Long story short:

Affected users (those with a changed group membership) will have to log off and back on to get a new token and the correct rights in the document.

Sincerely,

Marc

0 Replies