19 Replies Latest reply: Jan 4, 2012 1:34 PM by Alex Peasley RSS

    Security Issue

      So a customer is having trouble with their security. I was working fine until recently. They are running QV 10 and have

      Authentication: Login

      Type: Ntlm

      Login Address: Alternate login Page

       

      These settings had worked fined when I initially setup the server. Even if I change the authentication to always and default login page, they user is not allowed to login. We modified the  <DefaultUrl>http://_/</DefaultUrl> to port 8080. Any ideas why we are having issues?

        • Re: Security Issue
          Miguel Angel Baeyens de Arce

          Hi Alex,

           

          First, are they able to get to the Accesspoint? Are your documents using a section access table with NTNAME within that corresponds to the actual DOMAIN\USERNAME combination for each granted user? And does the QVP://SERVERNAME work?

           

          Check that your browser options (Tools, Internet Options, Security, Custom Level, Automatic Logon...) has the appropriate configuration, so the user is prompted or not and passing his credentials on to the Server.

           

          Did you change anything else apart from the QlikView Server version?

           

          Hope that sheds some light.

           

          Miguel

            • Re: Security Issue

              Accesspoint is up and running just fine. But they cannot view any documents as their username and password fail.

               

              Automatic logon only in intranet zone is set. And was not changed ever. You wouldn't think that would affect it now.

                • Re: Security Issue
                  Miguel Angel Baeyens de Arce

                  Hi Alex,

                   

                  Are all the services running fine in the services.msc console? Does the QVP allow the users to get to the documents? If so, there might something related to the web server / proxy configuration. If the QVP also fails, maybe something related to the Directory Service Connector is going wrong or some account running the service is not working properly?

                   

                  Hope that helps.

                   

                  Miguel

                    • Re: Security Issue

                      Okay, so they can go to qvp and view and open the documents. So what could be wrong with web server / proxy configuration?

                        • Re: Security Issue

                          When I click on this. It trys to connect the server on a different domain. Where can I change that?

                           

                          http://servername:4750/qvws.asmx

                            • Re: Security Issue
                              Miguel Angel Baeyens de Arce

                              Hi Alex,

                               

                              Go to the QlikView Enterprise Management Console, System, Setup, QlikView Web Server, expand and select the web server that is not properly configured.

                               

                              Note that all those configurations are stored into .xml files within the C:\ProgramData\All Users\QlikTech folder so you may need to check those files for that string and change there manually, if the server does not apply changes. Check as well, in these Web Server tabs, that the paths to the local folders are correct. Sometimes when upgrading there are some paths from older versions left, and QlikView doesn't know where to go.

                               

                              Hope that helps.

                               

                              Miguel

                                • Re: Security Issue

                                  They havn't upgraded at all. They are running QV10 SR3. Yes we modified the config.xml to change the default url, when we initially installed the software.

                                   

                                  But why can we access QVP://SERVERNAME just fine and open the documents that way? That doesn't make sense to me.

                                    • Re: Security Issue
                                      Miguel Angel Baeyens de Arce

                                      Alex,

                                       

                                      QVP connects directly the client with the Server, avoiding the Web Server. They are two different protocols, and they use two different ports (by default QVP runs in 4747 and Web Server in 80). If the QVP also fails, that means that the client is unable to get to the Server. Then the problems might be associated with network, firewall or proxy software... QVP makes the documents render faster, since there is no tunnelling nor any other transformation, and the data flows directly from client to Server and vice versa.

                                       

                                      But when QVP works, the client can indeed connect to the Server, so the problem must be in the Web Server. There's not a unique answer for this issues. You mentioned above that you changed port to 8080 which is a very usual proxy port. If you are running some proxy software in your network, your NAT routers might not know where to go, or have a fixed or default address... I always test with higest, more unknown ports, unlikely to be in use by other services like 50600 or 65123.

                                       

                                      The Web Server is slower, irrespective the client you use to render, since it needs to encapsulate the data, which takes longer CPU time and more memory usage. The Web Server might have a different name because of the DNS, some issues with the port 80 that might be in use by, say, a corporate IIS server, paths that have been moved... The QEMC tabs to check are System, Setup, QlikView Server and Web Server.

                                       

                                      The last issue I fixed related to the Server was about folders in the Web Server. For some reason, the QEMC was still keeping two different paths (for version 9 and 10, that was not an upgrade since version 9 was completely removed from the server and all folders moved to a backup). Users could connect by QVP anyway, because the Server was running up and fine, and they had open port 4747.

                                       

                                      Hope that makes sense and helps.

                                       

                                      Miguel

                                        • Re: Security Issue

                                          Okay, thanks for the explanation. Now, what would cause the web server to somehow stop working? Could another application been started and is now using the QV Web Server Port? Do you think upgrading to SR4 would help at all?

                                            • Re: Security Issue
                                              Miguel Angel Baeyens de Arce

                                              Alex,

                                               

                                              If it's the ports, upgrading won't help at all, you will keep having the same issues. However, having the latest version is always a good idea, since a lot of bugs are fixed every release.

                                               

                                              Depending on how complex is your network, determining where the problem is may take some time. If you have access to the IT people, ask tem about new web services, or change the port of the QlikView Web Server to something stranger than 8080.

                                               

                                              Hope that helps.

                                               

                                              Miguel

                                                • Re: Security Issue

                                                  Okay, so we changed the Web Port 9900. And we are still having the same issues.

                                                   

                                                  Can we change this port?

                                                   

                                                  http://servername:4750/qvws.asmx

                                                    • Re: Security Issue
                                                      Miguel Angel Baeyens de Arce

                                                      Yes, you can change it in the Config.xml file in the WebServer folder. However, this port is only for internal use between the Web Server and the Management Service in QlikView, and it's not used for communication between client and Server. You will need to stop services, change the file (back it up first) then restart services.

                                                       

                                                      Make sure you don't have any proxies that might be preventing traffic from or to that server. Test locally in the server if the Web Server (the Accesspoint) is available to the local admin user that is running the services.

                                                       

                                                      Hope that helps.

                                                       

                                                      Miguel

                                                        • Re: Security Issue

                                                          I'm not a network guy at all, so how would I test if any proxies might be preventing traffic? They say that there aren't any other web services are running, but I'm a little skeptical.

                                                            • Re: Security Issue
                                                              Miguel Angel Baeyens de Arce

                                                              Alex,

                                                               

                                                              The proxy settings are set in the Control Panel, Internet Options, Connections, LAN Settings. Usual proxy ports are 8080, 8088, 3128, 8000 and Google will return a huge list.

                                                               

                                                              Anither option to test whether or not are web services running is to run any telnet application, the one that comes with Windows is OK, and use

                                                               

                                                              telnet servername port

                                                               

                                                              In the screen goes blank, that usually means that there is a service running in that port. To test the Accesspoint, although you won't see anything, once you have entered the above and the blank screen appears, type

                                                               

                                                              HEAD /qlikview/index.htm HTTP/1.0 (enter key) (enter key)

                                                               

                                                              That will return a standard HTTP error (404 if the page is not there, 200 if ok, etc) and some information on the Server that is running.

                                                               

                                                              Hope that helps.

                                                               

                                                              Miguel

                                                                • Re: Security Issue

                                                                  I will try those. Could these be a license issue at all? I didn't think so, since they can view documents at qvp@servername. The sales rep is questioning whether the licenses are wrong.....

                                                                    • Re: Security Issue
                                                                      Miguel Angel Baeyens de Arce

                                                                      Alex,

                                                                       

                                                                      A licensing issue would make your documents unavailable to the user regardless he or she used the QVP or HTTP protocol, since a license is always assigned to a valid user in the security directory (whether Windows Active Directory or not): if the user gets through QVP the license is assigned. Licenses are not assigned to one particular protocol or client. Both QVP and HTTP support User CALs and Document CALs, and as far as I know, QVP is working fine.

                                                                       

                                                                      Anyway, it shouldn't take too long to verify that licensing is not an issue, if your sales rep sends you the number or you go yourself to the QEMC, System, Licenses, Server License and click on the Update from Server button. Before that, backup the folder C:\ProgramData\AllUsers\QlikTech that stores licenses information and Server configuration and logs.

                                                                       

                                                                      Hope that makes sense.

                                                                       

                                                                      Miguel

                                                                        • Security Issue

                                                                          I've got a ticket open with QlikView Support. This was their response. Wouldn't the Active Directory Connector have to be broken for this option to work?

                                                                           

                                                                          "It looks like either there was a domain level security change or the service account that accesses the AD lost privileges."

                                                                            • Security Issue
                                                                              Miguel Angel Baeyens de Arce

                                                                              Again, that seems difficult since the user must be authenticated to get the license, and the rest of services are running fine (QEMC, reloads, etc.). But the thing is that, for some circumstance, the user cannot log into the Accesspoint. I'd bet on a network, proxy, router, firewall issue rather than a security issue.

                                                                               

                                                                              It's tricky anyway, because are the users unable to log in because of lack of permissions in the IIS or Web Server (they do have enough permissions to get to the Server) or because the Web Server is not (or does not point) where it's supposed to be (paths)?

                                                                               

                                                                              Miguel