Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW

HTTP protocol error 401 Monitoring Apps or other app reloads fails with Kerberos Authentication in Qlik Sense Enterprise on Windows

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable

HTTP protocol error 401 Monitoring Apps or other app reloads fails with Kerberos Authentication in Qlik Sense Enterprise on Windows

Last Update:

Sep 14, 2022 6:38:56 AM

Updated By:

Sonja_Bauernfeind

Created date:

Sep 27, 2017 7:49:52 AM

If Kerberos Authentication is used in Qlik Sense then the following error can be observed:

Error: QVX_UNEXPECTED_END_OF_DATA: HTTP protocol error 401 (Unauthorized).

Kerberos Authentication is not supported with REST Connector. The only workaround is not to use Kerberos Authentication.

In addition, the License and Operation Monitoring Apps will not reload anymore if using Kerberos. When trying to Reload them, the following error is observed:

Error: QVX_UNEXPECTED_END_OF_DATA: HTTP protocol error 401 (Unauthorized):
'Negotiate' authentication schema provided by the web-service is not supported or your credentials are not valid.

 

The reload of monitoring apps fails if Kerberos Authentication is enabled. The Kerberos authentication is not currently supported by the REST connector.
 

Resolution

 

You have two options on how to address this. Either you swap to JWT Authentication for the Monitoring Apps or disable Kerberos entirely. 

To swap to JWT Authentication, see Qlik Sense: Modify REST connections for Monitoring Apps to use JWT authentication.

To disable Kerberos instead: 

  1. In the Qlik Sense Management Console, open the Proxy (Central) and choose edit.
  2. With the Ports Properties visible, disable Kerberos authentication - See Fig 1

    Fig 1Fig 1

 

 

  

Environment:

Qlik Sense Enterprise on Windows 

Labels (2)
Comments
jaishree_Qlik
Partner - Contributor III
Partner - Contributor III

Hi,

I have tried implementing this solution and able to run the hub modifying hub URL as : https://localhost/jwt/hub/my/work , but when trying to modify Data Connections for monitoring apps its using jwt , reload task  fails due to failed Server connection error.

 

 

 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @jaishree_Qlik 

Did you follow the instructions in Qlik Sense: Modify REST connections for Monitoring Apps to use JWT authentication? If all the instructions were followed as documented, I would recommend posting about this issue in our forums to make use of our active community and support agents monitoring it. The correct forum would be Connectivity & Data Prep.

 

alexey_kozlov
Partner - Contributor
Partner - Contributor

Hello.

This is currently under investigation by R&D for future enhancement.

Any news about this?

Thank you advance

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @alexey_kozlov 

I've reviewed our internal doc for this and we have no short terms plan for introducing Kerberos support for the REST connector. I would recommend to vote for this idea: Kerberos authentication fully working (so also with rest/monitoring connections).

I've updated this article. 

All the best,
Sonja  

diagonjope
Partner - Creator II
Partner - Creator II

Hi @Sonja_Bauernfeind ,

Is it possible to set up a Virtual Proxy that does not use Kerberos using a linked Proxy that is configured to use Kerberos? 

I am asking because we are running into a situation at a customer site using Kerberos.  The customer has a very constrained and controlled vSphere environment where they don't want to create new VMs, but they also want to monitor the usage of their QSEoW platform using the monitoring applications.   

I am trying to avoid creating a new Proxy node VM.  So, I need to find out if one could use their existing Proxy, configured to use Kerberos, with an additional Virtual Proxy configured to use just JWT authentication (for the monitoring apps).  

Please advise.

Cheers,

+José

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @diagonjope 

If you use the workaround described here: Qlik Sense: Modify REST connections for Monitoring Apps to use JWT authentication you will not need a new Proxy, only a new Virtual Proxy.

Hope this helps!

If you need assistance setting this up, I'd recommend posting directly in our forums about it so that you can make use of our active community.

All the best,
Sonja 

diagonjope
Partner - Creator II
Partner - Creator II

Thank you @Sonja_Bauernfeind for your response.

The reason I asked is because, in the case described above in this page, it seems to require disabling Kerberos authentication at the existing Proxy level.  So, I wanted to make sure that the workaround proposed, using JWT authentication in a new Virtual Proxy,  will work when using a linked Proxy that still has enabled Kerberos authentication.   

Furthermore, if we follow the instructions above and disable Kerberos at the Proxy level, will the existing Virtual Proxy configured for Kerberos continue to work as usual?

In any case, we'll give it a shot and see what happens.

Cheers,

++José

Sonja_Bauernfeind
Digital Support
Digital Support

Hmmm, that is a very good point. Let me verify this for you, @diagonjope. I was under the impression it is either or.

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @diagonjope 

You don't need to disable Kerberos if you use the JWT authentication.

All the best,
Sonja 

diagonjope
Partner - Creator II
Partner - Creator II

Hi @Sonja_Bauernfeind !

Just a brief note to let you know that we have a new virtual proxy with JWT enabled working with the instructions provided above (with the exception of disabling Kerberos in the Proxy) and it works fine: the Monitoring Apps are reloading without any problems. 

In view of this, I suggest that the requirement to disable Kerberos that appears in the article should be revised/ eliminated, since it may throw off other people as well.

Cheers,

++José

Contributors
Version history
Last update:
‎2022-09-14 06:38 AM
Updated by: