Kerberos support using QlikView Webserver

Sonja_Bauernfeind · Oct 5, 2012 5:02:46 AM

Authentication between web clients and QlikView Webserver will by default be performed using NTLM.
To allow Kerberos authentication between clients and the web server, the authentication scheme for QlikView Webserver must be changed. In addition, required Service Principal Names (SPNs) must be registered on the service account running QlikView Webserver.

Note: Kerberos is not supported for the QMC, see Kerberos Authentication and QlikView: Login Failed or This web page cannot be displayed for more information.

Environments:

QlikView

Resolution:

Changing authentication scheme for QlikView Webserver

Locate the file config.xml in %ProgramData%\QlikTech\WebServer
Open config.xml for edit
Locate the HttpAuthentication section for the file Authenticate.aspx in config.xml

Change the scheme from "NTLM" to "Negotiate"

Before:
<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="NTLM" />
After:
<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="Negotiate" />

Save config.xml

Register Service Principal Names on service account running QlikView Webserver

Note: The following will require appropriate permissions in Active Directory to add Service Principal Names on the account running QlikView Webserver.

A Service Principal Name may be registered using the following command:

setspn -A http/HOST serviceaccount

where:

HOST is the name of the server hosting QlikView Webserver
serviceaccount is the account running QlikView Webserver.

Note: If running Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 it is recommended to instead use the following syntax:

setspn -U -S http/HOST serviceaccount

For more information see: http://technet.microsoft.com/en-us/library/cc731241.aspx

Two Service Principal Names must be registered on the service account, one using the NETBIOS name of the computer hosting QlikView Webserver and one using the Fully Qualified Name of the server.
In this example the NETBIOS name of the server hosting QlikView Webserver is "qvs1", the Fully Qualified Name is "qvs1.companyx.local" and the account used by QlikView Webserver is "COMPANYX\qvssvc".

Open a command prompt with administrative privileges and type

Windows Server 2003

setspn -A "http/qvs1" "COMPANYX\qvssvc"
setspn -A "http/qvs1.companyx.local" "COMPANYX\qvssvc"

Windows Server 2008 / R2 and Windows Server 2012

setspn -U -S "http/qvs1 COMPANYX\qvssvc"
setspn -U -S "http/qvs1.companyx.local" "COMPANYX\qvssvc"

Restart QlikView Webserver after successfully registering the Service Principal Names

For more information about Service Principal Names see: http://technet.microsoft.com/en-us/library/cc961723.aspx

Wilmar · ‎2024-02-19

Hi @Sonja_Bauernfeind,

Thank you for this technote. With you suggestions we were able to update our Qlikview environment to use Kerberos.

But as soon as we update something through the maintenance page, the config.xml gets overwritten . And since there is no Negotiate/Kerberos option available in the maintenance page, the manually changed Negotiate option in the config.xml is lost.

Do you have any suggestions on how to by-pass this behavior?

Sonja_Bauernfeind · ‎2024-02-20

Hello @Wilmar

I am not aware of a method to bypass this. I would recommend logging a case (though I think this will likely end as an idea that should be posted in our ideas section).

All the best,
Sonja

Kerberos support using QlikView Webserver