6 Replies Latest reply: Feb 8, 2017 11:58 AM by Joan Marty RSS

    Configure User Directory to Azure LDAP

    Brett Odom

      We've set up Qlik Sense on a server, and are experimenting with trying to configure it to connect to Azure Active Directory. We followed all of the instructions in the Azure article "Configure Secure LDAP for an Azure AD Domain Services Managed Domain" (Configure Secure LDAP (LDAPS) in Azure AD Domain Services | Microsoft Azure). We've got an AD setup on Azure, and we created a wildcard certificate with a Certificate Authority (GoDaddy). So with a domain for the company of 'example.com', the wildcard cert is '*.example.com'. We exported this certificate from the Qlik Sense server per the instructions in the Azure article, loaded it into the Domain Services configuration panel on Azure, and received an IP address for LDAPS.

       

      We then configured DNS A record so that the subdomain ('ldap.example.com') points to this IP address. When we run a scan on the IP and the DNS alias at MXtoolbox.com we get a valid scan showing the IP address is there, with only port 443 open (https).

       

      Now over to Sense:  in the QMC -> User Directory Connector, we can't manage to figure out how to connect to the LDAP server. Do we need to set up a virtual proxy to bind the certificate?

       

      Typical log entries:

       

      4120160922T064554.973-0700INFOdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory10709c1532a-ef60-429b-a182-e9c6cc279af1NT AUTHORITY\SYSTEMLooking up RootDSE: LDAP://ldap.example.com:443/RootDSE09c1532a-ef60-429b-a182-e9c6cc279af1
      4220160922T064555.038-0700ERRORdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory107c7e246ce-b5a1-411e-a895-6673bda08f91NT AUTHORITY\SYSTEMFetching directoryentry LDAP://ldap.example.com:443/RootDSE failed: The directory service is unavailable.↵↓c7e246ce-b5a1-411e-a895-6673bda08f91
      4320160922T064555.038-0700ERRORdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory107ac0c1648-b9d9-4174-8020-8cc654beaf1dNT AUTHORITY\SYSTEMException while initializing ldap://ldap.example.com:443: Setting up connection to LDAP root node failed. Check log file.ac0c1648-b9d9-4174-8020-8cc654beaf1d
      4420160922T064555.038-0700WARNdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory107414351f5-62d9-4f41-bd8c-bffd56948887NT AUTHORITY\SYSTEMSetup of ActiveDirectory UDC not successful: Setting up connection to LDAP root node failed. Check log file.414351f5-62d9-4f41-bd8c-bffd56948887
      4520160922T064555.038-0700WARNdemoqlikUserManagement.Repository.Repository.Users.Factories.UserDirectoryFactory33ffc751e2-16d6-4fb0-bd5d-dbf01404171cNT AUTHORITY\SYSTEMSetting up UDC of type Repository.UserDirectoryConnectors.LDAP.ActiveDirectory unsuccessfulSetting up connection to LDAP root node failed. Check log file.↵↓Server stack trace: ↵↓   at Repository.UserDirectoryConnectors.LDAP.LDAPRoot.FindEntry(String path, GenericLDAP ldap)↵↓   at Repository.UserDirectoryConnectors.LDAP.ActiveDirectory.FindRoot()↵↓   at Repository.UserDirectoryConnectors.LDAP.GenericLDAP.Setup(Logger logger)↵↓   at System.Runtime.Remoting.Messaging.StackBuilderSink._PrivateProcessMessage(IntPtr md, Object[] args, Object server, Object[]& outArgs)↵↓   at System.Runtime.Remoting.Messaging.StackBuilderSink.AsyncProcessMessage(IMessage msg, IMessageSink replySink)↵↓↵↓Exception rethrown at [0]: ↵↓   at System.Runtime.Remoting.Proxies.RealProxy.EndInvokeHelper(Message reqMsg, Boolean bProxyCase)↵↓   at System.Func`1.EndInvoke(IAsyncResult result)↵↓   at Repository.Users.SafeUserDirectoryConnector.CallWithTimeout[T](Func`1 func, TimeSpan timeout)↵↓   at Repository.Users.SafeUserDirectoryConnector.Setup(Logger logger)↵↓   at Repository.Users.Factories.UserDirectoryFactory.TrySetupUserDirectory(UserDirectory userDirectory)ffc751e2-16d6-4fb0-bd5d-dbf01404171c

       

      Confused, would appreciate any assistance or ideas. Thank you!