3 Replies Latest reply: Sep 7, 2015 9:39 PM by sudhakar nemmatha RSS

    QV11 & Active Directory (LDAP) Configuration

    Seth Hoots

      Good morning, all. I have spent this entire morning (and last Friday day) attempting to get a QV Install using Active Directory to allow access to users.

       

      Originally the configuration was for local users on the QVServer to have access to the QVSystem. Any user on the local system was granted access to the access point. We have since switched gears as the application that we administer has build in ability to reset/sync AD passwords which would SSO our app and qlikview. Since our app can talk to AD, we want to integrate this Active Directory account in to the Qlikview system.

       

      So far, I have configured QVAdmin side to use the Active Directory and LDAP DSC. I can query users in AD using the Users portion of the admin console. The problem we are having is that these accounts are not allowed to login to the access point. We are prompted with the user/password field, however no combination of FQDN\UserName or UserName and Password will work. I do NOT however see any place in the Admin Console to delegate rights out. I have read something in the "help docs" about "Section Access" tab under users but DO NOT have this button, only users. Is something missing here?

       

      What step am I skipping here? There has to be some group or setting that points to AD and says "YES ALLOW THESE GUYS ACCESS". I have added the TEST account I am using to the local users group on the server, this doesn't allow access. I DO have an Admin AD account that IS working, however I cannot determine what is allowing it to get access. I have configured this test user account exactly the same as the WORKING AD Account, yet the mirrored account does get access. I am thinking something is specifically setup on the QVM Access console.

       

      My settings INI shows "UseDomainAccount=1" in the Qlikview ProgramData folder.

       

      If I create ANY local account on the QVServer, that account will be granted access to login via the AP. By default, these new accounts only get the local "Users" group from the server. I have added my Active Directory "test account" to that group, still no access.

       

      - I can confirm am talking to AD, I can see groups and users when I hit the "Users" tab in QVAdmin console and query *.

      - I can login with local users (to the qvserver), not AD.

      - I attempted to map a CAL to a user from AD using the System --> Licenses --> CAL options to add a user from AD. Still no access granted.

      - I have tweaked some configs to point at the LDAP://ou=,dc= and this is now pulling in users that show "DSP1\Username" as well as "DomainName\UserName". This is a new issue since I removed the hostname from the ldap connection string.

      For example (asterisks added to conceal domain):

      Now: LDAP://OU=WFEC,OU=Environments,DC=*************,DC=com

      Previously: LDAP://cloudDC/OU=WFEC,OU=Environments,DC=*************,DC=com

      - Build for QV: 11.20.12354.0

       

      There has to be a switch I am missing that will allow the AD access, any suggestions? Clues? Is this done in the QVAdmin console or do I need to create a group in AP under this specific locale that the LDAP connection string points to?

       

      Please help us, we have spent 12+ man hours on configuring this install.