0 Replies Latest reply: Jan 23, 2013 10:51 AM by Julien Dournon RSS

    Disabling Anonymous Logon (I mean, really)

      Hi everyone,

       

      We've got a problem with anonymous authentication in QlikView.

      I want to make it REALLY impossible to do, but I found a case where the user is logged as an Anonymous User even if I did all I could to avoid that.

       

      To make it clear, I have to describe all the stuff we have and why.

       

      We have 3 servers: 1 QVS+QMC / 1 QVWS+QDC / 1 QVPublisher.

      Everything works fine: connection through the AccessPoint, working with applications, reloding, distributing, direct access to documents through QV OCX, connection to our AD via QDC for authentication, etc...

       

      The only point is: as we are an IT hoster (Application Provider), we have a lot of different customers in our Datacenter, and security is their deepest fear as their datas are inside our walls. So if they could access anonymously to our AccessPoint, they could think we are not trustable.

      In order to avoid that:

      • the applications have NTFS rights which are based on our AD, and just for the people concerned.
      • the folders where the apps are stored have juste the AD group of the customer concerned enable in NTFS Rights Mmgt.
      • the servers are inside our LAN, no accessibilty from outside EXCEPT for the AccessPoint, with one URL on https (443) redirected through STunnel on http (80) on our QVWS.
      • On QMC:
        • For QVS: "prohibit Anonymous"/ "Anonymous Account" (Either Domain or Local Computer doesn't make any difference)/NTFS Authorization.
        • For QVWS: "Authentication Always" / "Type NTLM" / "Default Login Page"

       

      I even change some GPO for the QV servers (Disabling Anonymous SID/Name, Disabling Anonymous Rights = Everybody Rights, etc.)

       

      BUT if I try to log on my AccessPoint using a blank ID and no Password:

          • On IE and Safari: access denied. I've got a "login failed" message, or another prompt to give good credentials. That is the way it should work. Surprisingly, the good students are Apple and Microsoft.
          • On Chrome/Opera/Firefox, I am immediately logged as "NT AUTHORITY\ANONYMOUS LOGON"... That is what id don't want.

       

      I did my test with 3computers: my own Win 8, a VM with Win 7 and a OpenSuse.

      With a Linux PC, the anonymous access with blank ID is not allowed (even with Firefox). It makes me think that the 3 bad guys (Chrome,Opera,Firefox) takes the local Anonymous user of the PC, and passes it to the QVWS, which ask no question and log as Anonymous...

       

      To try a more deeper test, I installed Lunascape6, a browser permitting to change "on the fly" the internet rendering engine , from Trident (IE), Gecko (Firefox) and WebKit. With IE and WebKit: no problem, Anonymous if forbidden. With Gecko: "Welcome, NT AUTHORITY\ANONYMOUS LOGON"

      So, the problem is between the Gecko rendering engine and QVWS. But I don't know what to do.

       

       

      In terms of securtity, no application could be accessed, I took care of checking all NTFS rights, so no one who is not logged in could ever access QV apps(Or so I hope so... It seems OK).

      But to have something on our architecture which could be access anonymously is not really soothing for our customer. And for us too, in fact. (For me, except for public FTP, an "anonymous" application is just an IT aberration).

      And moreover, why have we got a "prohibit Anonymous" option in the QMC if it allows it anyway ?

       

      We use the native QlikView Web server, and we don't want to change (no IIS).

      We use NTFS rights because it is much more simplier for us to do so (in terms of administration, as we are App Services Providers, our own ERP using it own right management in relation with AD).

      We want NTLM Authentication for AD compatibily without making development, even if this mean no compatibility with Android integrated internet browser.

      These are the points we cannot change.

       

      Any idea to definitely stop this Anonymous logon and force users to enter a valid login/password ?

      (Except modifying the Client Browser, because it will not resolve my problem)

       

      Thanks.

       

      Julien, Proginov