Qlik.png
For several months now, I’ve been working on some QlikView projects which is a quite interesting discovery for me. Generally, these projects are limited to the management of QlikView at the administrator level (installation, upgrade, configuration of the QlikView Management Console, aso…) but I was still able to accumulate some knowledge that I want to share with you today. In this blog entry, I will try to explain how to debug the QlikView Offline Service, how to properly configure the access to remote Shared Folders and how to enable the Single Sign-On between QlikView and a third party software. I will try to describe the required steps as best I can to avoid any problems.

I. QlikView Offline Service for QlikView 11.2 SR7 or below

In a complete QlikView environment that is using SSL (I don’t know if it can happen without SSL), if you try to setup the QlikView Offline Service, you may face an issue where the Offline Service doesn’t work at all. This happen even if the component was installed successfully and even if there are no errors in the QlikView log files. This issue comes from the fact that by default, QlikView enforces the FIPS compliance when using the Offline Service but this can cause some problems depending on your enterprise network restrictions. After a feedback on that point to the QlikView Support Team, they confirmed us that it was a bug and they fixed it in their next QlikView version (11.2 SR8 and above). A simple workaround for this issue can be setup by following these steps:

  1. SSL must be properly configured
  2. The QlikView Offline Service must be properly installed
  3. Login to the Windows Server with any Administrator account
  4. Open the file: C:/Windows/Microsoft.NET/Framework64/v4.0.30319/Config/machine.config
    1. Find the line with: ˂runtime /˃
    2. Replace this line with:
      ˂runtime˃
      ˂enforceFIPSPolicy enabled=”false” /˃
      ˂/runtime˃
  5. Save the file
  6. Open a command prompt as Administrator and execute the command: services.msc
  7. Restart all QlikView Services

Modification of the machine.conf file to disable the FIPS enforcementModification of the machine.conf file to disable the FIPS enforcement

After doing so, you should be able to access to your QlikView documents from a smartphone or a tablet to work offline.

II. Access to remote Shared Folders

As before, depending on your Windows Server GPOs, you may face some issues regarding the access to files stored on a remote Shared Folder (access via the user who run QlikView). By remote I mean another city, country, continent or whatever. This tips can help to solve some Shared Folders access even if you aren’t using QlikView, it’s more a Windows Server Tips ;). Regarding QlikView, this issue can be easily found in the log file because you will be able to see something like this during a task execution:

ShareIssue.png

The configuration I will show you below worked for me but depending on your network restrictions, it may not work as it is. The important thing here is to understand each parameters and the consequences of this configuration:

  1. Login to the Windows Server with any Administrator account
  2. Open a command prompt as Administrator and execute the command: regedit
  3. Open: HKLM ˃ SYSTEM ˃ CurrentControlSet ˃ Services ˃ LanmanServer ˃ Parameters
    1. Set “enablesecuritysignature” to 1
    2. Set “requiresecuritysignature” to 1
  4. Open: HKLM ˃ SYSTEM ˃ CurrentControlSet ˃ Services ˃ LanmanWorkstation ˃ Parameters
    1. Set “EnableSecuritySignature” to 1
    2. Set “RequireSecuritySignature” to 0
  5. Reboot the Windows Server

Share1.pngConfiguration of the LanmanServer registry keys to 1-1

 

Share2.pngConfiguration of the LanmanWorkstation registry keys to 1-0

As you can see, there are two different sections named “LanmanServer” and “LanmanWorkstation”:

  • LanmanServer control the parameters of the current Windows Server when it acts as a Server
  • LanmanWorkstation control the parameters of the current Windows Server when it acts as a Client

For example, if you access a remote Shared Folder from the QlikView Windows Server, then you are acting as a Client and therefore with this configuration you can access to everything whatever is the LanmanServer configuration of the Shared Folder’s Windows Server. Indeed, the local SecuritySignature is enabled but not required (Enable=1, Required=0, it will shorten this as “1-0”) so it’s the most generic case which cover all possible solutions of LanmanServer configuration of the remote Host (3 solutions: 0-0, 1-0 or 1-1).

In the same way, if a user try to access to a Shared Folder on the QlikView Server, then the QlikView Server will act as a LanmanServer and therefore the configuration taken into account is (1-1). This configuration can be changed but if the LanmanWorkstation configuration of the user’s laptop is 1-1, then the LanmanServer configuration will need to be 1-1 otherwise the user will not be able to access to the Shared Folder of the QliKView Server. The 1-1 configuration is of course the most secure and therefore, it’s often (always?) chosen on the user’s Workstation. That’s why it’s generally a good idea to set the LanmanServer of the QlikView Server to 1-1 too.

It’s really hard to explain this kind of stuff but I hope I was clear enough!

III. SSO between QlikView and “X”

Again, this configuration isn’t something only related to QlikView but it can be useful if you need, for example, to allow QlikView to automatically store some documents into another system “X” which can be a Document Management System (Alfresco, SharePoint, Documentum, aso…) or something else. You may not need to do this because it can be allowed by default on your enterprise but it’s generally a good practice to restrict the SSO features on a Windows Servers and therefore, this kind of configuration is often required. For this configuration, let’s define X as a third party software and https://x.domain.com as the URL related to it.

From the Windows Server, if you try to access to the real URL of your third party software (e.g for Alfresco Share it would be: https://x.domain.com/share) and if you get a pop-up window asking you for credentials, then follow the steps below:

  1. Ensure that your Active Directory is properly configured for SSO (this is a very large topic and I will not describe it here)
  2. Login to the Windows Server with the account under which QlikView is running
  3. Open: Internet Explorer ˃ Internet Options ˃ Security ˃ Trusted Sites ˃ Sites
    1. Write: https://x.domain.com
    2. Click on: Add
    3. Write: about:blank (this step may not be mandatory)
    4. Click on: Add (this step may not be mandatory)
    5. Close the window
  4. Click on: Custom Level…
    1. Scroll down and find: User Authentication
    2. Set “Logon” to “Automatic logon with current username and password”
    3. Click on: OK
    4. Click on: Apply
    5. Click on: OK
  5. Restart Internet Explorer
  6. Ensure that the account under which QlikView is running has the proper permissions on the third party software

SSO_1.png
Trusted sites configuration with the list of URL for all “X”

 

SSO2.pngEnable the automatic logon with current user name and password for the Trusted Sites

After that configuration, if you try again to access to the real URL of your third party software, then the pop-up window should not be displayed and the login should be successful. Of course, the last step is important because the user that is running QlikView must have access to the third party software otherwise the SSO is useless…

This concludes this first approach of some QlikView Tips & Tricks. I’m sure that more will come soon but I will need to find some time to share that with you. I hope you will find this blog entry useful and don’t hesitate to give me your feedback using the comments below!