The Windows Security Event log reports the following event:
event ID 4768, Task Category "Kerberos Authentication Service". Account name for these entries will be "X509N:<S>CN=QlikClient
Resolution:
Without a Multi-Cloud/Hybrid setup
If you are a customer currently not using a Multi-Cloud/Hybrid setup, meaning you are not distributing Apps from Client Managed into SaaS.
Option 1:
- Stop the Qlik Sense Services
- Open the following path: C:\Program Files\Qlik\Sense\Repository\
- Open Repository.exe.config
- Set "EnableDotNetWebSockets" to true.
- If the Qlik Services are running using a non-local administrator account, then bootstrapping needs to be run after the changed configuration. The fix is not supported by Windows 7.
Option 2:
It is possible that the error is still seen after option one is applied. It is found that due to the current architecture following services are triggering the error:
[hybriddeploymentservice]
[appdistributionservice]
[qib-webchat-service]
If the Qlik Sense environment is not using Multi-cloud deployment, you may apply the following workaround by disabling the following two services:
[hybriddeploymentservice]
[appdistributionservice]
To do this:
- Open the file "services.conf" of the Qlik Sense installations (it is typically located at C:\ProgramFiles\Qlik\Sense\ServiceDispatcher).
- Make a backup of "services.conf" file first
- Go to the section defining the service in question by adding the row "Disabled=true" like this:
[hybriddeploymentservice]
Disabled=true
Identity=Qlik.hybrid-deployment-service
DisplayName=Hybrid Deployment Service
ExePath=dotnet\dotnet.exe UseScript=false
[appdistributionservice]
Identity=Qlik.app-distribution-service
DisplayName=App Distribution Service
ExePath=dotnet\dotnet.exe
UseScript=false
- The "Qlik Sense Service Dispatcher" service needs to be restarted for the setting to take effect.
If you are not using Qlik Webchat, you can also disable [qib-webchat-service] by following same steps as above.
With a Multi-Cloud/Hybrid setup
If you are a customer currently using a Multi-Cloud/Hybrid setup, meaning you are distributing Apps from Client Managed into SaaS.
With a multi-cloud setup, there is no complete workaround available as of today. It is important to mention that this is not an issue that affects in any way your security and/or stability of your Client Managed deployment. This is a result of how affected Qlik Sense .NET microservices are handling certificates in .NET Core technology. To address this shortcoming, a significant re-design of current architecture would be required that is currently not in the pipeline, hence would recommend submitting a product ideation.
To limit the number of events in question, if you are not using Qlik Webchat, you can disable [qib-webchat-service] - see step-by-step instructions in the previous section.
Environment:
Qlik Sense Enterprise on Windows
Internal Investigation ID(s):
QLIK-87774, QB-274. Working as intended, please apply the resolution given in this article.
