15 Replies Latest reply: Apr 4, 2011 6:31 AM by S├ębastien Pastor RSS

    About different domain

    isaac li

      Hi,

      I have the following scenario:

      I installed the QV server in domain A whose active directory is LDAP://A

      Now I want to use another domain's account to access QV server. And the LDAP of it is LDAP://B

      I add the LDAP://A and LDAP://B in the Active Directory via QEMC, I have tested QV server could identify the users of Domain B by the function in QEMC.

      But when I use the account from domain B to visit Access Point, unfortunately, it does not work.

      And if I use the the account from domain A , it works.

      It seems domain A could not identify the account of domain B.

      So could you tell me what I can do?

       

      Thanks a a ... lot.

       

       

       

      Thanks.

        • About different domain
          Vlad Gutkovsky

          Isaac,

          Are you using IIS or QVWS?

            • About different domain
              isaac li

              Hi,

              I use QVWS,sir.

                • About different domain
                  Vlad Gutkovsky

                  Can you be more specific as to what doesn't work? Is it presenting you with a login prompt? Is authentication failing following the prompt? Assuming you get a login promt, what is the format of the username you are entering?

                  Try adding the AccessPoint to the client's Intranet and/or Trusted Sites IE zone.

                  Regards,

                    • About different domain
                      isaac li

                      Hi,

                      I take a detailed example:

                      DomainA\UserA belongs to the QV Server' s domain.

                      If I use this account to visit Access Point wherever I use it, it works. Access Point is also in the Domain A.

                      But if I use DomainB\UserB to visit it, it does not work, as you said it prompt login again and again. It seems the Access point does not identify the account of DomainB.

                      In the Access point tab, I use NTLM, and as I said before, I have added the LDAP of the Domain B into the Active Directory.

                      And I go to the tab Users of QEMC, I could search the account DomainB\UserB.

                      Why could DomainB\UserB not visit Access Point?

                       

                      Thanks your support, sir.

                       

                       

                       

                      • About different domain
                        isaac li

                        Hi Vlad Gutkovsky ,

                        Do you have any idea on it? Sorry to push you. But it is very urgent for us.

                         

                        Thanks.

                          • About different domain

                            Qlikview Port needs to be opened for that particular IP.

                              • About different domain
                                isaac li

                                How to open and open which IPs? The IPs of the users?

                                 

                                  • About different domain

                                    yes,IP's of the users who are in different domain.

                                    port 4747 needs to be opened for them.

                                    Tell ur network team to open the port for the IP of external user.

                                      • About different domain
                                        Vlad Gutkovsky

                                        Well, no, this isn't a port issue. What format are you inputting the username? And, most importantly, in what format did you specify the LDAP string in the DSC? I find that Fully Distinguished format works best. For example, if domain A is northamerica.mycompany.com and domain B is europe.mycompany.com, you would put the strings in the following format: LDAP://DC=northamerica,DC=mycompany,DC=com and LDAP://DC=europe,DC=mycompany,DC=com.

                                        Regards,

                                          • About different domain
                                            isaac li

                                            Hi,

                                            Thanks for your reply, my LDAP of domain B looks like this:

                                            LDAP://A.BC.COM, then I put it into AD like LDAP://DC=A,DC=BC,DC=COM

                                            It still does not work, and in the left, when I type the Username and Password with DomainB\UserB, it tells the User name is wrong.

                                            Another thing is what's your Authorization for QV Server, NTFS or DMS?

                                             

                                             

                                            • About different domain
                                              isaac li

                                              And what the username type should be?

                                                • About different domain
                                                  Vlad Gutkovsky

                                                  Well, your A domain should use an A domain username in the QEMC --> DSC in the format A\Username1 and your B domain should use the username B\Username2, where each username is a domain user on that domain. Your Fully Distinguished LDAP format looks correct, although of course it's hard to tell since I don't know your real domain structure.

                                                  Then from within the QEMC, test to make sure you can browse users on both domains. Authorization is NTFS.

                                                  Assuming that works, when a user goes to the AccessPoint, he should enter the username in the format A\User or B\User. But actually, it shouldn't even prompt him if you set it up correctly. If you see a prompt, then it probably won't work anyway and that most likely means that something in your domain structure has been specified incorrectly.

                                                  Regards,

                                                    • About different domain
                                                      isaac li

                                                      Yes, I did what you told. Maybe this issue is caused by the domain structure.

                                                      And another probable cause is who runs the QlikView Web Server?

                                                      I use DomainA\UserA to run the QlikView Web Server, This account just only could access Domain A not Domain B.

                                                      Is it a problem?

                                                       

                                                      I don't know how to thank you enough. Many thanks Vlad Gutkovsky.

                                                        • About different domain
                                                          Vlad Gutkovsky

                                                          The services account that runs the QVWS doesn't need to be a member of a particular domain, any local admin account (QV Admin too of course) with logon-as-service rights will do. So...after you added the LDAP strings, were you able to browse the users in the QEMC or not? If not, then the problem is with the connection string and/or user account itself. If you were, then yeah, it's a domain structure issue.

                                                          An important thing to keep in mind is what domain the QVS itself belongs to. If it's a member of Domain A, then the default login domain is A.mycompany.com. If you don't specify the LDAP string properly, then it will attempt to authenticate domain B as A.mycompany.com\B.mycompany.com\user, which of course won't work. That's why Fully Distinguished format is preferable--you would want to specify your full LDAP structure in each string.

                                                          Regards,

                                                          • About different domain

                                                            Hi Isaac,

                                                            Did you succesfully solved this issue ?

                                                            If yes, how did you do ?

                                                            Would it be possible to get a copy of the settings, as I'm having same issue with a customer ?

                                                            Regards,

                                                            Sébastien