4 Replies Latest reply: Nov 2, 2010 8:13 AM by mfelipe RSS

    Active Directory and CAL

      We want to use NTFS authorization in combination with Active Directory.

      By "Directory Service Connectors" --> "Active Directory" we defined the LDAP-path and username/password which has rights to read the Active Directory.

      What else do we need to do in de Enterprise Manager Console? Are the AD users automatically read within the Qlikview Server? how can we see that QVS loaded the list with ActiveDirectory users? What is the relation between AD settings(users) and the CAL? (it seems to us that the AD users cannot use the Ajax client unless the Windows/AD users are also added manually as a CAL user).

      Thank you,

       

       

       

       

        • Active Directory and CAL
          Vlad Gutkovsky

          If you defined the LDAP address properly, there is nothing else you need to do. AD users are automatically read by QVS. With NTFS authorization you need to make sure those users that should be able to see the file have NTFS Read & Execute permissions on the file. Assuming that the users have the proper permissions on the file, QlikView will then automatically assign them a Named User CAL (I'm assuming that's what you have in your license) when they request one--until it runs out of CALs of course.

          If you do not want QlikView to automatically assign CALs, then go to QEMC --> System --> Licenses --> QlikView Server --> Client Access Licenses (CALs). Under the General tab, you can uncheck "Allow Dynamic CAL Assignment" and then add users manually under the Assigned CALs tab. But unless you have a specific reason for wanting manual assignment, I would suggest you leave it automatic in the beginning.

          An easy way to test that everything works is to open a document from the AccessPoint. You can then go into the Assigned CALs tab I mentioned above and see that 1 CAL has been assigned to your Windows username. Note that later it might be assigned to "Anonymous" if you use AJAX outside your domain, but that's a different discussion altogether :)

          Regards,

            • Active Directory and CAL

              Hi Vlad,

              I'm just trying to publish a document in order to anonymous users can access to it using Ajax outside the domain, but always get the same message:

              Access denied! The server (QVS) has no USER CAL for your account. Please contact your system administrator!

              The Server Settings are:

              1.- En QEMC > System > Licenses > QVS@localhost > Client Access Licenses (CALs) > General Allow license lease and Allow dynamic CAL assignment checked.

              2.- En QEMC > System > Setup > Qlikview Web Servers > AccessPoint > Authentication: Never.

              3.- En QEMC > System > Setup > Qlikview Web Servers > AccessPoint > Ajax: Always Anonyous, Prohibit Authentication and Prohibit machine Id checked.

              4.- En QEMC > System > Setup > QlikView Server > Security > Authentication > Allow Anonymous (Anonymous Account: On Domain) y en Authorization > DMS Authorization.

              5.- En QEMC > Documents > User Documents > Authorization. Added Anonymous for the document.


              Any suggestions?

              Regards,

              Mario

                • Active Directory and CAL
                  Vlad Gutkovsky

                  Mario,

                  Yep, this is an easy one. You're forcing anonymous authentication and anonymous users can't use User CALs. This is for obvious reasons--how could you keep track of how many are being used?? So if you have no Session or Usage CALs, you will get that error because the server really doesn't have a CAL for your account.

                  Regards,