This article is a comprehensive guide on the current integration of Qlik Sense with Microsoft Azure AD Application Proxy as of January 2019.
Due to the widespread adoption of Office 365, many Enterprises have already replicated their on-Premise Active Directory into Azure, and are finding additional Microsoft cloud services increasingly attractive. Data sources, Application Servers and Business Intelligence tools may be migrated to Azure Cloud. Microsoft Intune may be considered for Mobile Device Management but doesn't include a connectivity component for access to on-Premise services. The Azure AD Application Proxy provides an easily deployed VPN-less gateway that can be used to provide access to internal websites for small-medium businesses. Enterprises should consider whether they also require additional Device-level authentication (as provided by VPN Gateways) or multi-factor authentication for access to internal websites.
Qlik Sense requires that clients and intermediate infrastructure support web-socket connectivity that is used between the Qlik Visualizations and the Qlik Sense Proxy service for retrieval of Associative datasets. Web-sockets are part of the HTML5 standard, but many proxy servers fail to support it; iOS v11 has resolved previous issues with routing web-socket traffic via any perApp VPN. Remaining connectivity problems are now due to configuration/limitations of EMM and other network infrastructure.
The following is a comprehensive guide on the current integration of Qlik Sense with Microsoft Azure AD Application Proxy.
Install the Azure AD Connect service on/near the Primary Domain Controller. This will replicate the Domain to Azure Active Directory. Only one instance of this service should be running. Installation includes a Health Service and an Upgrader Service. These are used to ensure that the Azure Portal notifies Administrators of synchronization issues, and that the software will be automatically updated with feature improvements. See also https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect
Install the Azure AD App Proxy Connector on one/more hosts. These initiate an outbound connection to the Azure Cloud, through which traffic will pass to registered Enterprise Applications. Installation includes an Update Service, so the software will be automatically updated with feature improvements. Within the Azure Portal the registered Application Proxies are pooled into Connector Groups. See also https://docs.microsoft.com/en-us/azure/active-directory/active-directory-application-proxy-enable
Using the Azure Portal https://portal.azure.com/ the Administrator can register on-premise URLs such as Qlik Sense as Enterprise Applications. These are assigned a corresponding Public HTTPS URL, are associated with a Connector Group, and may be configured with authentication at the Azure entry point for Single SignOn into Qlik Sense.
Any browser, on mobile or desktop, and Qlik Sense Mobile too can browse to a Public URL that provides access to the on-Premise instance of Qlik Sense. The default Public URL is formed from a concatenation of the Application Name, Tenant Name and ".msAppProxy.net" and is accessed using https:// for example https://sense-qlikemmnet.msappproxy.net/hub/my/work
The user can see all configured and permitted Applications at http://myapps.microsoft.com
During installation of an Application Proxy within the LAN, you are prompted to sign into Azure as an Administrator. This will register the Application Proxy for use, however it has no further directly configurable properties, but will be automatically upgraded when necessary. Microsoft recommend installing several instances of the Application Proxy which can be pooled into a Connector Group within the Azure Portal to provide Highly Available connectivity to on-premise resources.
If an Application Proxy has been uninstalled or otherwise disabled, it will be removed from the Azure Portal after 10 days of inactivity.
When configuring an on-premise application as an Enterprise Application, please refer to https://docs.microsoft.com/en-au/azure/active-directory/manage-apps/application-proxy-qlik
When providing access to Qlik Sense releases prior to April 2018 you must register an application for Qlik Sense Hub and an additional application for the corresponding Authentication URL. If you had registered https://sense.qlikemm.com/ as an application "Sense", you must also register https://sense.qlikemm.com:4244/ as "Sense4244" (or corresponding http URLs http://sense.qlikemm.com/ and http://sense.qlikemm.com:4248/).
You can suppress the additional application from https://myapps.microsoft.com by appropriately setting "Visible to Users" in the Enterprise Application properties.
Within the Qlik Sense Management Console (QMC) you must also record the new External URL in the WhiteList of the Virtual Proxy.
After the User authenticates into Azure, the Azure AD Application Proxy can provide Single SignOn into Qlik Sense using Kerberos Constrained Delegation (KCD).
This requires that Qlik Sense is correctly configured to support Kerberos authentication, and that the Application Proxy hosts are appropriately configured within Active Directory with Delegation Rights to the Qlik Sense Service Principal Name (SPN).
If the Qlik Sense Proxy service is running as QLIKEMM\qlik, and the Qlik Sense Hub is internally accessible at https://sense.qlikemm.com/hub/my/work then a Kerberos Service Principal Name must be created:
setspn.exe -U -S HTTP/sense.qlikemm.com QLIKEMM\qlik
Verify the existence of the SPN using these commands:
setspn.exe -Q HTTP/sense.qlikemm.com setspn.exe -L QLIKEMM\qlik
Using the Qlik Sense Management Console: edit the Authentication properties of the Virtual Proxy and adjust the Windows authentication pattern from default Windows to Mozilla to support Single SignOn from not-only Windows desktop browsers; edit the Ports properties of the Proxy and enable Kerberos authentication.
Browse to Qlik Sense from a desktop browser on your LAN, and verify that Kerberos authentication has occurred by confirming the presence of a corresponding Kerberos Service Ticket in your local Kerberos Ticket Cache:
klist.exe tickets | more
Only AFTER confirming that Kerberos Single SignOn is occurring successfully, THEN proceed to ensuring that the Application Proxy host(s) are appropriately configured in Active Directory to support Kerberos Constrained Delegation to this Service Principal Name, and SUBSEQUENTLY enable Windows Integrated Authentication Single SignOn for the Enterprise Application in the Azure Portal.
QlikView is reliably accessible via the Microsoft Azure AD Application Proxy, as it does not depend on advanced features of HTML5 such as websockets.
Qlik Sense requires websocket connectivity that is supported by the Application Proxy since April 2018. Qlik Sense may also require a second registered application for the authentication URL if using releases of Qlik Sense prior to April 2018.
Qlik suggests deploying the Qlik Sense Websocket Connectivity Tester from https://developer.qlik.com/garden/56728f52d1e497241ae69865 into the Content Library within the QMC, and confirming that this can be accessed via the internal https://sense.qlikemm.com/content/default/QlikSenseWebsocketTest.html and external https://sense-qlikemmnet.msappproxy.net/content/default/QlikSenseWebsocketTest.html URLs. Failure could be caused by other network infrastructure such as Load Balancers or a Reverse Proxy between the Azure AD Application Proxy and Qlik Sense. Compare output with example https://sense-demo.qlik.com/content/default/QlikSenseWebsocketTest.html.
Some logging may be produced by the Azure AD Application Proxy at "C:\ProgramData\Microsoft\Microsoft AAD Application Proxy Connector\".