Since a few weeks we're experiencing some difficulties with our Qlikview Server configuration.
We have created a local account on our server machine and the Qlikview Server service runs under its identity.
The machine is in a domain, but the account is local to the machine.
We're experiencing frequent login attempts from the Qlikview Server service on the active directory. Since the service runs under a local user account, the credentials is unknown in the directory, resulting in lots of authentication failures. We have asked our domain administrator to provide us with a domain account for the service to run under, so the authentication succeeds and so we can start monitoring for genuine intrusion attempts again.
Although this may only solve the problem in a superficial manner, we're still puzzled as to why the QVS service tries to authenticate on the domain in the first place. We had a mis-configured AD DSC service, but this was removed with no change in the situation. I have set the service logs verbosity to its highest settings to be able to see any relevant information and I'll check them tomorrow.
We believe this is not caused by an application since the authentication failures occur throughout days and nights and is not bound to any application usage. Moreover, failures do not match with any task scheduling so we also think that task configuration is not relevant. Now we're a bit short on ideas, so any help on that subject would be appreciated
I do not have any trace of the authentication login in the service logs.
I however have traces of the authentication attempt in the windows event logs.
Is DSC configure with AD\LDAP Auth? If yes are you use any domain account to fetch the user repo for this?
Please check on this.
Is it possible to share simple event log? just text.
Actually, we have a local account which is able to open interactive sessions on the server . All Qlikview services were using that account for an identity, and service / server administration was done with that principal's identity. There also was a mis-configured AD DSC using that account credentials when the directory team reported us that account was failing directory authentication.
I then removed the AD DSC and I also changed the principal which the services were running under in order to narrow down the root cause of the problem. I created some local accounts on the machine and affected them to each service : QlikviewServer, QlikviewManagement, QlikviewDirectory, etc ... Now each service is configured to run with its own principal and noone but me knows the account's credentials, so I can assert they are only being used by Qlikview services.
The authentication failures using the legacy account stopped and then the same started with the principal of the Qlikview Server service. I mean the actual « Qlikview Server » service, not any other Qlikview service such as DSC, QVM, etc ...
I must specify we are using Qlikview Server version 11.0.11282.0 if that's of any help.
Yesterday's event log is available here : ZeroBin
I have reviewed the log and not issue found in that.
Just confirm if this user "FRGNBQVPOC\QlikviewManagement" is not part of domain. This user is local user on QlikView server.
"We're experiencing frequent login attempts from the Qlikview Server service on the active directory."
Can you share event log for above mentioned activity ?
I have checked you earlier log but nothing is going to CROP domain. Please share relevant event log for the same.