Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
May 12, 2021 8:36:25 AM
Oct 31, 2017 11:49:40 AM
The most likely cause of this error after installation, and when using SAML, is that Qlik Sense is attempting to use a SHA256 Hashing algorithm and the 3rd Party Certificate installed for the Proxy does not have the appropriate Cryptographic Providers added to them.
In order to use SHA-256, a third-party certificate is required, where the associated private key has the provider "Microsoft Enhanced RSA and AES Cryptographic Provider". See under Authentication > SAML signing algorithm section of the documentation Editing a virtual proxy - Qlik Sense for administrators
Qlik Sense Enterprise on Windows , all versions
Convert the current certificates to use the correct Cryptographic Provider.
Note: The same conversion steps and how to check for the correct provider are documented under SHA-256 and Converting the Cryptographic Service Provider Type
Needed Items:
Note: Qlik Sense does NOT create CSRs for Certificate Authorities (CA) to create 3rd Party SSL certificates. There’s many ways of doing this outside the product. Please consult your CA team for how to request one. Basic instructions are available and provided as-is outside scope of Qlik Support under Qlik Sense: Generating CSR for 3rd Party Certificates.
--
Step 1:
Run from an elevated Command Prompt (CMD): certutil -store -v my > c:\certificate.txt
Step 2:
Search the certificate.txt file for the certificate that will used for Authentication (the installed 3rd party certificate).
Example of a SHA1 certificate that does not have the proper Cryptographic Provider:
Provider = Microsoft Enhanced Cryptographic Provider v1.0
ProviderType = 1
Unique container name: 67b595f1f5dc08c5b04181220a6a9f6a_13f6a9b2-6308-4b91-b867-c7fe1a974faf
PP_KEYSTORAGE = 1
CRYPT_SEC_DESCR -- 1
KP_PERMISSIONS = 3f (63)
CRYPT_ENCRYPT -- 1
CRYPT_DECRYPT -- 2
CRYPT_EXPORT -- 4
CRYPT_READ -- 8
CRYPT_WRITE -- 10 (16)
CRYPT_MAC -- 20 (32)
Example of the SHA256 certificate that has the proper Cryptographic Providers:
Provider = Microsoft Enhanced RSA and AES Cryptographic Provider
ProviderType = 24
Unique container name: 6c66d03c2de5c8747450e7c12960e4b5_13f6a9b2-6308-4b91-b867-c7fe1a974faf
PP_KEYSTORAGE = 1
CRYPT_SEC_DESCR -- 1
KP_PERMISSIONS = 3f (63)
CRYPT_ENCRYPT -- 1
CRYPT_DECRYPT -- 2
CRYPT_EXPORT -- 4
CRYPT_READ -- 8
CRYPT_WRITE -- 10 (16)
CRYPT_MAC -- 20 (32)
Note: If the certificate does NOT have Microsoft Enhanced RSA and AES Cryptographic Provider, SAML with SHA256 will NOT work until this provider is used. Qlik does NOT perform this modification and will need to be done outside the product. Steps below are provided as-is and can be followed as general guidelines.
This example is going to use a 3rd Party tool called OpenSSL (https://wiki.openssl.org/index.php/Binaries - 3rd Party Tool OpenSSL – NOT supported by Qlik). You can try different ways of requesting or making the change by other means.
Step 3:
Converting a PFX file to a PEM file and adding the correct Cryptographic Providers:
Command line:
Step 4:
Step 5:
Special Notes: