8 Replies Latest reply: Oct 5, 2017 9:43 PM by Santhya Muthu RSS

    Qlik Sense 3.2: AD creds from different domain don't redirect to form to login

    Evan Lancaster

      I have a question about authentication. We have our production environment set up so that all users trying to access Qlik (whether they are internal or external) will hit an external load balancer (HAProxy), which will pass the user on to one of our nodes, which are inside a DMZ. We have our virtual proxies set up for Windows authentication, so their AD creds will authenticate them and pass them right on through without having to manually log in. Of course, if their machine is not set up with an AD (or if they're on a Mac), they will be directed to the login screen and prompted for username and password. Everything works great, except for the scenario we have where users from a recent acquisition are now trying to access Qlik, but their machines are still set up with AD credentials from their old company's Active Directory. To be clear -- they have been given AD creds from our company, but they are still using the old creds to log into their local machines. So they try to access Qlik, and since their machine's AD creds (e.g. "oldcompanydomain\username" and "password") match a windows authentication pattern, those creds are passed on, but once they are checked against my company's AD (which has a domain of, for example, "newcompanydomain\"), they are not found. Instead of directing them to a login screen to put in their credentials from the new company, which is what I would expect to happen, they are simply receiving a browser error saying "This page can't be displayed". So they have no way of putting in their new AD creds, and thus no way of accessing Qlik.

       

      FYI:

      1. we are running QS 3.2
      2. for reasons unclear to me (networking newbie here), our infrastructure team has everyone coming in from outside the DMZ, even if they are internal users on our company's domain, which means we can't differentiate the users on our domain from the ones who aren't

       

      I'm probably leaving out some critical information, so feel free to ask for clarifications and I'll do my best to provide any info you might find helpful.

       

      Thanks!

      Evan Lancaster