0 Replies Latest reply: Jul 20, 2012 4:05 AM by Marc Behrens RSS

    Section Access, AD Groups and Kerberos

    Marc Behrens

      Hi erverybody,

       

      yesterdy I had the following problem and because I could not find something that described my problem properly, I thought I should post the solution, just in case someone else might be looking for it.

       

       

      I was trying to implement section access to an existing qvw-document just as it's described in every tutorial.

       

      LOAD * INLINE [

           ACCESS, NTNAME, GROUP
           ADMIN, domain\grp_admin, 0
           USER, domain\grp_user, 1


      ]
      ;

       

      (The "GROUP" Field is for datareduction)

       

       

      There was just one thing- it did not work... If I changed the "NTNAME" information from ad-groups to ad-usernames like

       

      LOAD * INLINE [

           ACCESS, NTNAME, GROUP
           ADMIN, domain\username, 0
           USER, domain\grp_user, 1


      ]
      ;

       

      it worked just fine. First I thought there would be a problem with the way QlikView gets the group information from the ad-server but I was missing the fact that our domain is using kerberos for authentification, which caused some (at first glance) weired effects.

       

      1) I did not have access at all to the document, if I used the first script-part.

      2) The next day, I had access, but if I changed my group membership, my rights in the qvw did not change

       

      The reason was / is, that a kerberos-token does have a specific duration and changes made in the actice directory do not take effect, until a new token is handed out.

       

      1) I did not have access to the document, because I was developing the application and created the ad-groups while I was logged on to the development machine. Therefore (from a kerberos point of view) I was not a member in the newly created groups, even if I added myself on the domain controller.

      2) The next day, I got a new token and had access, but it did not change if I changed my group membership.

       

       

      Long story short:

       

      Affected users (those with a changed group membership) will have to log off and back on to get a new token and the correct rights in the document.

       

       

      Sincerely,

       

      Marc