19 Replies Latest reply: Nov 30, 2009 11:55 AM by CLamprecht RSS

    QVS 9.0 - DMS, AD, and groups

    Martijn ter Schegget

      Hi all,

      For a customer I've tried setting up a QlikView Server 9 instance with authentication through DMS today, using Active Directory as the directory service for the Directory Service Connector.

      The problem right now is that I can grant access to single users in the 'User Documents' page of the Enterprise Management Console (which suggests the user can be found in AD), but when granting access to a group that this user belongs to the document does not show up in the Access Point (suggesting that the user cannot be resolved to this group). I've tried both the plain group name, and domainname\groupname notation.

      Any idea what I'm doing wrong here?

      Regards,

      Martijn ter Schegget
      CND Development

      PS: it's past 10pm local time right now, I'll be reading any answers tomorrow morning.

        • AW:QVS 9.0 - DMS, AD, and groups
          Joachim Rogginer

          Hi Martijn,

          well, I don't know if it might have something to do with your problem, but I'm experiencing heavy trouble with user rights from NTFS (not only via access point) especially when groups (or nested groups, so to say) are involved - see http://community.qlik.com/forums/p/19859/75854.aspx#75854 .

          It's now about a week that support told me they are waiting from development whether this is a bug or a WAD (!!!!) - nothing heard since. But I'm afraid there ARE rights issues in QV 9 (with things that certainly worked in QV 8.5) ; so also YOUR problem might be caused by them.

          Rgds,
          Joachim

           

          • QVS 9.0 - DMS, AD, and groups
            Martijn ter Schegget

            Hi all,

            Short update on the situation: we've decided to work around it and use (classic) NTFS based security. Besides that, we found out that for users the username must (partially) match the user linked to the document in the User Documents -> Authorization tab; this suggests that DMS does not even perform a lookup on AD for these names but just uses a string match.

            For group lookups we got authentication errors in the Directory Service Connector log, suggesting a problem authenticating to AD. The same user can query AD in other ways, so the tech support guys at this customer site suggested that the AD server path should maybe include a path within the AD.

            Anyone here has experience using DMS for matching users/groups against AD? And could you share some details on e.g. what value should be used for the 'path' value in the DSC Active Directory settings?

            Thanks in advance!

            Martijn ter Schegget
            CND Development

             

              • QVS 9.0 - DMS, AD, and groups

                Here is some information that may be of help to you.

                I am experiencing a similar issue with AD group membership and QVS 9.

                After a few calls with QV we came up with this.

                 

                Environment - QVS 9, no publisher.

                Make sure all services run under a domain admin account and not local admin account

                Without publisher licenses the DCS is actually not utilized. Remove user/password. They mentioned keeping the default path (not sure why).

                Assign Document Authorization to your group domain\groupname

                Restart the services (seems QVS and Webserver are the important ones here)

                Group resolution should happen now.

                If new users are added to the group there is a delay (15 minute default), due to QV caching group membership of users.

                 

                Hope this helps

                 

                  • QVS 9.0 - DMS, AD, and groups
                    Paul Ehret

                    Hello andyw715,

                    I'm interested by this configuration but I have some problem to put it in place.

                    All Qlikview services run with a domain admin account, and I have put domain groups in the authorization document but I don't know if we must configure "Active directory" in qemc?

                    Must do stop Directory connector?

                    We must use "windows authorization" or "qlikview authorization"?

                    Regards,

                    Loic

                     

                      • QVS 9.0 - DMS, AD, and groups

                        Loic,

                        I was told, since I'm not using Publisher, that Directory Service Connectors don't have to be setup. The service is running on my server, but nothing is configured via Enterprise Console.

                        I haven't tried "windows authorization". My configuration uses DMS.

                        -Andy

                         

                  • QVS 9.0 - DMS, AD, and groups

                    Hello,

                    I'm experienced the same problems as mentioned above. We're using a Server and Publisher and configured "DMS authorization".
                    The DMS seems configured correctly because users are recognzied as they login into the AccessPoint and get their Documents. Also the Domain is listeted in the searchscope. All Users and Groups are found by the search-function of the Enterprise Console.

                    If I use groups-based auth instead of users-auth the endusers don't get the documents. I tried different things to get this workin' with no luck:

                    - different syntax ( name, domain\user ...)
                    - changed the local-user to domain-user the services runs with

                    Has someone an idea why this problem occurs?