Hi QlikTech, VladG, and fellow QlikView developers,
My Question: When running in Internet Explorer (IE), do you know of a way to force the ZFC to use the *supplied Ticket*, rather than the windows authentication data if it is available? For example, is there some configuration or setting (or code-change to an aspx file in the QlikViewAjax folder) that can be made, in order to instruct the ZFC to always ignore the Windows logged in user-name?
Background: We are building a system where the user-authentication in QlikView does not make use of Active Directory (AD), NTFS, Windows Login, etc.. instead, we have a separate single-sign-on (SSO) source of users, and we are relying on DMS to handle authentication on the QlikView side of things. We are using the AJAX zero footprint (ZFC) client. Things are working out mostly very well. We made many attempts and tried various combinations of settings with the hope of resolving this issue on our own, prior to seeking assistance here.
Problem: In an Intranet environment (or same-machine environment), when the browser is IE, our GetTicket/OpenDoc logic works fine and the document renders fine when the user is logged into Windows as a user who is part of the "QlikView Administrators" group... GOOD. Also when the browser is FireFox (FF), the logic works fine when the user logged into Windows is part of the "QlikView Administrators" group... GOOD. Continuing, when the browser is FF, the logic works fine when the user is NOT part of the "QlikView Administrators" group... VERY GOOD. But when the browser is IE and the user is NOT part of the "QlikView Administrators" group, even with a legitimate Ticket supplied, the logic fails and the ZFC fails to display the document in the browser (it is blank)... PROBLEM.
My Comments: I understand that IE behaves differently than FF in that IE supports "Integrated Windows Authentication", where it detects and trusts the user logged into Windows. It seems as though, when IE finds there is a user logged into Windows, the ZFC ignores the supplied Ticket and instead attempts to open the document using the credentials of the logged in user. In our realistic situation where the logged in user running IE is not part of the "QlikView Administrators" group, we need the ZFC to honor the supplied Ticket and use *that* to retrieve the document, rather than the name of the logged in user. (In QEMC, we do not and cannot add to the Document Authorization every possible Windows user-name that may connect to the system; we are adding Document Authorization for only our SSO user-names, and in a separate process retrieving Tickets based on those names.)
A. IE, Windows logged in user is part of the "QlikView Administrators" group: the document displays.
B. PROBLEM: IE, Windows logged in user is NOT part of the "QlikView Administrators" group: no document displays. (When the user browses from a different machine over IIS to QVWEBSERVER, the document displays the top tabs then error message: "Lost connection to server. Reconnecting…", then "No connection" popup.)
C. FF, Windows logged in user is part of the "QlikView Administrators" group: the document displays.
D. FF, Windows logged in user is NOT part of the "QlikView Administrators" group: the document displays.
Environment: Windows Server 2008 R2, QVSERVER version 10, IE version 8.0, FF version 4.0.
Configuration: Server - DMS Authentication, QlikView Web Server - Authenticate NEVER, GetTicket.aspx/opendoc.htm, Client - AJAX zero footprint.
Many thanks in advance for your time and any ideas you might have!
D.Will, ATP Engineering