In some situations the authentication protocol between QlikView Server and Webserver needs to be changed. Default protocol is negotiated to Kerberos which may be prohibited for communication between services within some domains, causing connectivity issues between QlikView Server and Webserver.
This may result in a "Loading Content" getting stuck when loading AccessPoint or the Webserver being disconnected in QlikView Management Console (although service is running).
Usually it works to connect by IP-address, but not with SERVERNAME (NETBIOS name) or SERVERNAME.DOMAIN.COM (Fully Qualified Name)
This is an authentication issue between the QlikView Server and the Webserver. This is usually caused by the users domain having not been configured for Kerberos properly, or prohibiting certain connections.
The term Negotiate means that the Webserver is negotiating between NTLM and Kerberos. Removing Negotiate forces the Webserver to use NTLM.
This guide is to enable a way to work around issues caused by Kerberos mailfunctioning. The root cause to Kerberos not working needs to be addressed by the internal IT department.
For QlikView Webserver:
In IIS 7 and 7.5 (Windows Server 2008 R2) this can be done within the menus:
- Open up the file config.xml with administrative privilegies in the directory C:\ProgramData\QlikTech\WebServer\ (Windows Server 2008 R2) or C:\Documents and Settings\All Users\Application Data\QlikTech\WebServer (Windows Server 2003). If the file is not opened with administrative privilegies, it won't save in the folder and force you to save it to the Desktop or similar.
- Locate the line <QvsAuthenticationProt>Negotiate</QvsAuthenticationProt>. It is usually located on row 13.
- Change the line to <QvsAuthenticationProt>NTLM</QvsAuthenticationProt>.
- Save and restart the QlikView Webserver Service.
What needs to be done is to remove "Negotiate" from available Providers from within the IIS.
This guide assumes that IIS and QlikView Server with IIS settings is already installed.
- Open up IIS Manager from Administrative Tools menu.
- Go to the local machine
- Go to "Sites"
- Go to "Default Web Site"
- Go to "QvAjaxZfc"
- Press "Content View", and you should see Authenticate.aspx which is the file used for Authenticating users.
- Right click on file, choose "Switch to Features View". You should now see the Authenticate.aspx page selected to the left in the menu.
- Open up "Authentication" under the IIS section. Make sure you're still configuring Authenticate.aspx.
- Only "Windows Authentication" should be enabled among available Authentication methods.
- Right click on "Windows Authentication" and chose "Providers".
- Now remove "Negotiate", press "OK" and see if it works better.
This may needed to be done on the following Application directories as well apart from just being applied to the "Authenticate.aspx" file:
Normally though, this should should not be required.In IIS 6.0 (Windows Server 2003) this needs to be done from the command prompt:
- Open up C:\Windows\System32\inetsrv\MetaBase.xml with Notepad
- Within the file, if using default settings, search for: <IIsWebVirtualDir Location ="/LM/W3SVC/1/ROOT/QvAjaxZfc"
- This is a reference to the virtual directory holding QvAJAXZfc, with specific settings for this directory.
- Add NTAuthenticationProviders="NTLM". It should look like this after adding the string:
- Restart the Application Pools.
It might be needed to add/move this string to:
- Other virtual directories, such as QlikView and QvPlugin
- The full webserver, in that case the setting should be under <IIsWebServer Location ="/LM/W3SVC/1"
Normally though, this shouldn't be required.
More IIS 6.0 information: http://support.microsoft.com/kb/215383http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7258232a-5e16-4a83-b76e-11e07c3f2615.mspx?mfr=true