6 Replies Latest reply: Nov 3, 2011 9:57 AM by Jeffrey Goldberg RSS

    Header Authentication Type - Implementation

    Muralidhar Koti

      Hi All,

       

      The have the following QlikView set-up on my production environment.

       

      QlikView Web Server :

      Authentication Type -> Header

       

      QlikView Server:

      Authetication -> Allow Annonymous

      Authorization -> DMS Authorization

       

      Directory Service Connectors:

      Active Directory -> to th LDAP path of our AD

       

      Publisher Distribution:

      A publisher task has been created to reload and distribute QlikView documents to users. The current set-up is to distribute to a mount folder and give access to a AD group

       

      SAN Storage:

      This is where all QlikView files (system/user) are stored and this has read access to every one.

       

      CALs:

      We have three types of CAL (User, DOC and Session)

       

      We have two types of users who would be accessing the QlikView access point

       

      1. Internal Users (Accessed with in the company network)

      These users gets authenticated based on their network id (domainname\username). As we are distributing the dashboards to an AD groups, these users are able to access the documents without any issues (as per their AD group)

       

      2. External Users (Accessed outside the company network)

      These users first get a custom login page designed in .Net and on successful authentication, the user name (stored in a oracle table) will be passed to the header of. The header authentication type of web server handles this. But the issue I am having here is, how can I read these user names from Oracle table and use in my publisher task to distribute based on oracle user name as well. That is, I want my documents to be published for both AD users as well as Oracle table user names.

       

      I learned that I can use 'Configurable ODBC' option for this, but not able to configure my Oracle table (User_Master) as 'Configurable ODBC'.

       

      Could you please guide me on how can I configure my QV server to distribute documents to both AD and Oracle table users?

       

      Regards,

      Murali

        • Header Authentication Type - Implementation
          Lars Helmer

          if you can't get the configurable odbc plugin to work for oracle one option is to write your own plugin tailormade for oracle. another option could be to replicate the oracle users into the custom users database.

           

          cheers

            • Header Authentication Type - Implementation
              Muralidhar Koti

              I tried to configuring the users under custom users (part of Custom Directory), but it is prefixing the user names with domain. For example if I create a custom directory with name 'ExternalUsers', then all user names are coming like 'ExternalUsers\username'. this is not the same as the ones that comes as part of the header.

                • Header Authentication Type - Implementation

                  Hi Muralidhar,

                   

                  I've done a lot with Configurable ODBC, though not with Oracle.  I think we need to walk through your config soup to nuts to see where the bottlenecks may be.

                   

                  If I understand your configuration, you have an AD, but you also have an Oracle table that you are holding user names in.

                   

                  There are a lot of steps to get the header injection working properly, and they aren't all documented very well.

                   

                  Questions:

                  What Windows Server version are you using and if you are using IIS, what version of IIS?

                   

                  Are you using QlikView WebServer or IIS to connect to the QlikView documents?

                   

                  If IIS, do you have the virtual directory settings configured for QlikView folders?  What do the virtual path configs look like?

                   

                  Are you using a domain account for running the QlikView services?  If so, is this domain account a member of Administrators, QlikView Administrators, and IIS_WPG (if using IIS) and are the virtual paths set up to use this domain account for anonymous authentication?

                   

                  Do you have an IQVS_%ServerName% account on the QlikView Server?  Is it part of QlikView Administrators and IIS_WPG (if using IIS)?

                   

                  What does your configurable ODBC connection to Oracle override string look like?

                   

                  I'm currently working on a document with my experiences upgrading to QlikView 10 SR2 with configurable ODBC and header injection.

                   

                  Let's start with answers to these questions and perhaps we set up a web ex to go through your config and see if we can get it working.

                   

                  Cheers,

                   

                  Jeff G

                    • Header Authentication Type - Implementation
                      Lars Helmer

                      just a quick question jeffrey,

                       

                      why would you want IQVS_%servername% to be member of qlikview administrators or IIS_WPG?

                       

                      cheers

                      • Header Authentication Type - Implementation
                        Muralidhar Koti

                        Please find my responses below

                         

                        Questions:

                        What Windows Server version are you using and if you are using IIS, what version of IIS?

                        [Res]: Windows 2008 64 bit. I am not using IIS

                         

                        Are you using QlikView WebServer or IIS to connect to the QlikView documents?

                        [Res]: I am using QlikView web server

                         

                        If IIS, do you have the virtual directory settings configured for QlikView folders?  What do the virtual path configs look like?

                        [Res]: Not using IIS

                         

                         

                        Are you using a domain account for running the QlikView services?  If so, is this domain account a member of Administrators, QlikView Administrators, and IIS_WPG (if using IIS) and are the virtual paths set up to use this domain account for anonymous authentication?

                        [Res]: Yes. We are using a domain account to run QlikView services. The domain account is a member of Administrators and QlikView Administrators. I am not sure about the anonymous authentication you have mentioned.

                         

                        Do you have an IQVS_%ServerName% account on the QlikView Server?  Is it part of QlikView Administrators and IIS_WPG (if using IIS)?

                        [Res]: I have a IQVS_%ServerName% account in server but it is not part of QlikView Administrators

                         

                        What does your configurable ODBC connection to Oracle override string look like?

                        [Res]: I haven't set this property

                         

                        I'm currently working on a document with my experiences upgrading to QlikView 10 SR2 with configurable ODBC and header injection.

                          • Header Authentication Type - Implementation

                            hi,

                             

                            as for the IQVS account, I found I couldn't connect anonymously until the IQVS account was a member of both of these groups.

                             

                            As for the configurable ODBC for Oracle, in order to get it to work you have to do one of two things:

                            1.  Fill out the fields for the configurable odbc with the information listed in a file or system dsn you have created on the server, leaving the override string blank.

                            2. Fill out the override string, and populate it with the connection string to your oracle db (creates a dsn-less connection)

                             

                            In addition, you need to supply the Directory Label, field name for the entity name, the entity table name, the groups table name.

                             

                            odbcpic.bmp

                            if you need the oracle connection string, go to www.connectionstrings.com to find it.

                             

                            Keep in mind, for group resolution to work at this time, the entityid field of your entity table, and the memberid and groupid fields in the group table cannot contain values greater than max(int), or 2.1 billion, because there is a bug in the group resolution code that doesn't allow numbers larger than that size to be resolved.

                             

                            jg