Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
May 7, 2021 10:13:27 AM
Oct 5, 2012 5:02:46 AM
Authentication between web clients and QlikView Webserver will by default be performed using NTLM.
To allow Kerberos authentication between clients and the web server, the authentication scheme for QlikView Webserver must be changed. In addition, required Service Principal Names (SPNs) must be registered on the service account running QlikView Webserver.
Note: Kerberos is not supported for the QMC, see Kerberos Authentication and QlikView: Login Failed or This web page cannot be displayed for more information.
Environments:
Before:
<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="NTLM" />
After:
<HttpAuthentication url="/QvAJAXZfc/Authenticate.aspx" scheme="Negotiate" />
Note: The following will require appropriate permissions in Active Directory to add Service Principal Names on the account running QlikView Webserver.
A Service Principal Name may be registered using the following command:
setspn -A http/HOST serviceaccount
where:
HOST is the name of the server hosting QlikView Webserver
serviceaccount is the account running QlikView Webserver.
Note: If running Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012 it is recommended to instead use the following syntax:
setspn -U -S http/HOST serviceaccount
For more information see: http://technet.microsoft.com/en-us/library/cc731241.aspx
Two Service Principal Names must be registered on the service account, one using the NETBIOS name of the computer hosting QlikView Webserver and one using the Fully Qualified Name of the server.
In this example the NETBIOS name of the server hosting QlikView Webserver is "qvs1", the Fully Qualified Name is "qvs1.companyx.local" and the account used by QlikView Webserver is "COMPANYX\qvssvc".
setspn -A "http/qvs1" "COMPANYX\qvssvc"
setspn -A "http/qvs1.companyx.local" "COMPANYX\qvssvc"
Windows Server 2008 / R2 and Windows Server 2012
setspn -U -S "http/qvs1 COMPANYX\qvssvc"
setspn -U -S "http/qvs1.companyx.local" "COMPANYX\qvssvc"
Restart QlikView Webserver after successfully registering the Service Principal Names
For more information about Service Principal Names see: http://technet.microsoft.com/en-us/library/cc961723.aspx
Thank you for this technote. With you suggestions we were able to update our Qlikview environment to use Kerberos.
But as soon as we update something through the maintenance page, the config.xml gets overwritten . And since there is no Negotiate/Kerberos option available in the maintenance page, the manually changed Negotiate option in the config.xml is lost.
Do you have any suggestions on how to by-pass this behavior?