Mounted remote folders in QlikView Server using NTFS authorization

					QlikView Enterprise Solutions

Mounted Remote File shares in QlikView Server using
NTFS authorization




Version:     2.1
Date:        2010-03-05
Author(s)    BMW




”A best practice is a technique or methodology that, through experience and
research, has proven to reliably lead to a desired result.”
Contents
Contents .................................................................................................................................. 2

Introduction ............................................................................................................................. 3

Environment ............................................................................................................................ 3

Delegation of authentication ................................................................................................. 4
   Constrained delegation ......................................................................................................... 4
   Protocol transition ................................................................................................................. 4

Setting up delegation ............................................................................................................. 5
   Service running under the Local System computer account ................................................ 6
     Configuring the computer account to be trusted for delegation ........................................ 6
   Service running under a Domain User account .................................................................. 10
     Service Principal Name .................................................................................................. 10
     Registering a SPN on the Domain User account used by the QlikView Server service 11
     Configuring the service account to be trusted for delegation ......................................... 12
   Configuring the file share .................................................................................................... 16
     Service running under Local System computer account ................................................ 16
     Service running under a domain User Account .............................................................. 17
   QlikView Server and IIS configuration ................................................................................ 18
     Using a Domain User account ........................................................................................ 18
   Internet Explorer on the client computer ............................................................................. 21

Delegation check-list ............................................................................................................ 22

Troubleshooting ................................................................................................................... 22
Mounted Remote File shares in QlikView Server using NTFS authorization




Introduction
Storing QlikView documents on a central file server or on a NAS/SAN is sometimes a
requirement in different scenarios. This could be due to security policies, back-ups, setting
up a cluster and so on.
This document will describe how to configure QlikView Server to access remotely stored
documents on a NAS and how to set up delegation to the file-share to support Integrated
Windows Authentication.
Both Windows 2000 mixed mode domains and native Windows 2003 domains will be
covered.
Configuration of Microsoft’s Internet Information Service 6 (IIS) for ASP pages to handle
remote shares and Integrated Windows Authentication will also be covered.



Environment
The environment will consist of 3 servers running Windows Server 2003; the domain
controller, a file server and a QlikView server, as described below.
A file share will be created on the File Server. The name of the share will be “qvShare”.
A client computer running Windows XP will be used to verify the configuration (the client
will be in a different sub-domain, but this setup is not covered in this example)




        Domain:         servers.companyx.local

        Role                           Fully qualified name                Ip address
        Domain Controller              dc.servers.companyx.local           10.1.2.4
        File Server                    fs.servers.companyx.local           10.1.2.7
        QlikView Server                qvs.servers.companyx.local          10.1.2.9
        Client computer                xpclient.depx.companyx.local        10.1.1.100




                                                      Page 3/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Delegation of authentication
In a multitier solution, delegation refers to the facility for a service to impersonate an
authenticated user in order to relieve the additional burden of authenticating to multiple
services. This means that administrators can enforce authorization at the different tiers using
a single user identity, which simplifies management and makes tracking and auditing
possible on the different levels of a multitier solution.


Kerberos authentication in Windows Server 2003 supports different levels of delegation
depending on the functional level of the domain. A domain running in Windows 2000
mixed mode will only support delegation of authentication using the Kerberos protocol,
while a domain running in native Windows 2003 mode will also support constrained
delegation and protocol transition.


Constrained delegation
Windows 2003 running in native mode supports constrained delegation, which means that it
is possible to configure delegation of authentication only to specific services running on a
specific server. This will enhance security if the computer trusted for delegation gets
compromised, as only delegation is possible for the specified services.


Constrained delegation is not present in Windows 2000. Instead all services under the Local
System on the computer will be trusted to any and every service.


Constrained delegation requires the front-end and back-end server to be in the same
domain.


Protocol transition
In Windows 2000 delegation would only be possible using the Kerberos authentication
protocol, which makes it impossible to use delegation for clients not compatible with
Kerberos (for example clients connecting to a web server over internet). This restriction no
longer applies. With protocol transition a client can authenticate to the front-end server using
other authentication protocols (NTLM, SSL, Digest authentication) and credentials can still
be passed on to the back-end server using Kerberos.


Protocol transition requires constrained delegation to maintain a high security level.




                                                      Page 4/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Setting up delegation
There are different ways of setting up delegation of authentication. You can either configure
the computer account to be trusted for delegation, having the QlikView Server service run
under the Local System account, or set up a Domain User account and configure the
QlikView Server service to run under this user’s context. This will strengthen the security in
case of the server being compromised, but requires some additional configuration, such as
registering a Service Principal Name (SPN) on the service account (covered later) and
configuring the service on the computer.


The section “Service running under the Local System computer account” will show how to
delegate authentication to the computer account “QVS”.
The section “Service running under a Domain User account” will show how set up the
Domain User account “qvsServiceAccount” to be trusted for delegation.
Note: You should only trust either the computer for delegation or use a domain User
Account, not both.




                                                      Page 5/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Service running under the Local System computer account
By default the QlikView Server service will run under the Local System computer account.
This will simplify the configuration of QlikView Server and IIS as you do not need to make
any changes on the front-end server. Howeverm if you want to configure the service to run
using a domain User Account, skip this section and go to “Service running under a Domain
User account”.



Configuring the computer account to be trusted for delegation
Setting up a computer to be trusted for delegation varies, depending on the domain
functional level being Windows 2000 mixed mode or Windows 2003 native mode.

Windows 2000 mixed mode
As mentioned before Windows 2000 mixed mode only supports delegation using Kerberos
authentication. This is a security-sensitive operation which means that the computer trusted
for delegation (in this scenario the QlikView Server) must be protected from any
unauthorized access to not compromise the security.
Microsoft recommends avoiding the use of delegation in Windows 2000 environments.


     Open Active Directory Users and Groups and locate QVS computer account. Right-
       click and select Properties.
     On the General tab, check Trust computer for delegation. Press OK to verify that
       you understand the security related issues concerning delegation.




     Press OK to close the dialog.




                                                      Page 6/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Native Windows 2003 mode
Native Windows 2003 mode gives a lot more options to strengthen the security of the
computer trusted for delegation. The different delegation levels will be covered shortly in
this section. For more information see the documentation for Windows Server 2003.


     Open Active Directory Users and Groups and locate the QVS computer account.
     Right-click and select Properties.
     Go to the Delegation tab and select the level of delegation.


Trust this computer for delegation to any service (Kerberos only)
This is much like delegation in a mixed
Windows 2000 environment. Select this
option only if the server (QVS) is in a secure
environment and Kerberos is supported for all
clients.


Note: This is not recommended.




                                                      Page 7/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Trust this computer for delegation to specified services only (Use Kerberos only)
Select this option to enforce constrained
delegation to specified services using
Kerberos protocol.
When you select this option, you also need to
specify the services to which this account can
present delegated credentials. In this example
we need to specify the services HOST and
cifs for file access.


    On the Delegation tab, press Add…
    Press Users or Computers… and
     locate the File Server (FS). This is the
     computer hosting our file share and to
     which we will present delegated
     credentials.




A list of available services on the server will
be presented in a list.


    Select the following two services
         o    HOST
         o    cifs
    Press OK and verify that the two
     services are listed on the Delegation
     tab.




                                                      Page 8/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Trust this computer for delegation to specified services only (Use any authentication
protocol)
Select this option to enforce constrained
delegation to specified services using protocol
transition. This is necessary in environments
where Kerberos is not supported, like clients
connecting from the internet.
By selecting this option the first hop in the
authentication chain between the client and
the front-end (QVS/IIS) server can be done
using protocols like NTLM, SSL, Digest or
any other protocol. A transition will then be
made to support Kerberos protocol in the
second hop, between the front-end (QVS/IIS)
and back-end (FS) server.


    On the Delegation tab, press Add…
    Press Users or Computers… and
     locate the File Server (FS). This is the
     computer hosting our file share and to
     which we will present delegated
     credentials.


A list of available services on the server will
be presented in a list.


    Select the following two services
         o    HOST
         o    cifs
    Press OK and verify that the two
     services are listed on the Delegation
     tab.




                                                      Page 9/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Service running under a Domain User account
Instead of delegating authentication to the computer account, it is possible to configure a
service to run under a domain user account and trust the account for delegation. This requires
some additional configuration for Kerberos authentication to work.

Service Principal Name
Service Principal Names (SPNs) are unique identifiers for services running on servers.
Kerberos authentication needs to have an SPN set for every service so that clients can
identify the service on the network. Without a properly registered SPN Kerberos
authentication will fail.
An SPN consists of three pieces of information, ServiceClass/Host:Port where:
      ServiceClass is the service class of the SPN (in our example http)
      Host is the name of the computer to which the SPN belongs (qvs)
      Port is the port that the service spn is registered to use. This is
       optional and, if not specified, will be the default port for the
       ServiceClass (80 for http).


If the host can be reached by different names, for example if an alias is registered for the
computer name, SPNs must be added for each host name. There should be at least two SPNs
registered on a computer account:
      HOST/Hostname
      HOST/FQDN (Fully Qualified DNS Name)


By default SPNs are only registered on service accounts (computer accounts got some built-
in SPNs covered by the HOST SPN). Regular user accounts do not have any SPNs, but can
be registered using the Setspn tool included in the Support Tools on the Windows Server
2003 CD.




                                                      Page 10/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Registering a SPN on the Domain User account used by the QlikView Server
service
To be able to setup the domain User Account “qvsServiceAccount” for delegation, SPNs
needs to be registered on the account. Be careful not to register already existing SPNs. All
SPNs must be unique within the domain to be able to identify the service running on a
specific server.
If you receive an error about multiple SPNs in the System Event log, use ldifde included in
Support Tools to locate the conflicting SPNs (not covered in this whitepaper).
The following will require that you have the permission Write ServicePrincipalName in
the Active Directory.


    Install the Support Tools for Windows 2003 if not already done (it is not necessary to
     install the Support Tools on the domain controller).
    Open a command prompt and type:
                  setspn –a http/qvs qvsServiceAccount
       where http/qvs is the SPN and qvsServiceAccount is the domain User Account


    Create another SPN for the FQDN of the server:
                 setspn –a http/qvs.servers.companyx.local qvsServiceAccount
    In this example there is also an alias registered for the QVS computer,
     qvs.companyx.local, requiring one more SPN to be registered on the
     qvsServiceAccount:
                 setspn –a http/qvs.companyx.local qvsServiceAccount




                                                      Page 11/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Configuring the service account to be trusted for delegation

Mixed Windows 2000 mode
   Open Active Directory Users and
     Groups and locate the domain User
     Account (qvsServiceAccount).
    Right-click and select Properties.
    On the Accounts tab, check
     Account is trusted for delegation
     in the Account options list.
    Press OK to close the dialog.




                                                      Page 12/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Native Windows 2003 mode
    Open Active Directory Users and Groups and locate the domain User Account
      “qvsServiceAccount”.
     Right-click and select Properties.
     Go to the Delegation tab and select the level of delegation (if the Delegation tab is not
      present, no SPNs have been configured on the account. Please revise “Registering a
      SPN on the domain User Account used by the QlikView Server service”).


Trust this computer for delegation to any service
(Kerberos only)
This is much like delegation in a mixed
Windows 2000 environment. Select this
option only if the server (QVS) is in a secure
environment and Kerberos is supported for all
clients.


Note: This is not recommended.




                                                      Page 13/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Trust this computer for delegation to specified services only (Use Kerberos only)
Select this option to enforce constrained
delegation to specified services using
Kerberos protocol.
When you select this option, you also need to
specify the services to which this account can
present delegated credentials. In this example
we need to specify the services HOST and
cifs for file access.


    On the Delegation tab, press Add…
    Press Users or Computers… and
     locate the File Server (FS). This is the
     computer hosting our file share and to
     which we will present delegated
     credentials.




A list of available services on the server will
be presented in a list.
    Select the following two services
         o    HOST
         o    cifs
    Press OK and verify that the two
     services are listed on the Delegation
     tab.




                                                      Page 14/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Trust this computer for delegation to specified services only (Use any authentication
protocol)
Select this option to enforce constrained
delegation to specified services using
protocol transition. This is necessary in
environments where Kerberos is not
supported, like clients connecting from the
internet.
By selecting this option the first hop in the
authentication chain between the client and
the front-end (QVS/IIS) server can be done
using protocols like NTLM, SSL, Digest or
any other protocol. A transition will then be
made to support Kerberos protocol in the
second hop, between the front-end
(QVS/IIS) and back-end (FS) server.


    On the Delegation tab, press Add…
    Press Users or Computers… and
     locate the File Server (FS). This is the
     computer hosting our file share and to
     which we will present delegated
     credentials.


A list of available services on the server will
be presented in a list.


    Select the following two services
         o    HOST
         o    cifs
    Press OK and verify that the two
     services are listed on the Delegation
     tab.




                                                      Page 15/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Configuring the file share
The file share must be configured with the correct permissions for the front-end server and
for users to be able to access the files. If delegation was given to the computer account
(QVS) permissions must be given for this account to access the share. If the service was
configured to use a domain User account, this account must have the proper permissions to
the resource.



Service running under Local System computer account
    Locate the share on the File Server (FS).
     Right-click the share and go to the tab
     Sharing.
    Press Permissions then Add… to give the
     computer account permission to the share.
     Make sure Computers is selected in
     Object Types… to be able to find the
     server.
    Give the account Full Control (needed
     for the service to be able to write shared
     objects to the share).
    Give additional users/groups permission
     to access the share.
    Press OK to close the dialog.




    Go to the Security tab to set up the
     Access Control List (ACL) for the shared
     folder.
    Press Add… to add the computer account
     to the ACL. Make sure Computers is
     selected in Object Types… to be able to
     locate the server.
    Give the account Full Control (needed
     for the service to add shared objects).
    Add additional users/groups to the ACL.
    If you configure subfolders, make sure the
     computer account (QVS) has Full
     Control on the subfolders as well.




                                                      Page 16/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Service running under a domain User Account


    Locate the share on the File Server (FS).
     Right-click the share and go to the tab
     Sharing.
    Press Permissions then Add… to give the
     “qvsServiceAccount” domain User
     Account permission to the share.
    Give the account Full Control (needed
     for the service to be able to write shared
     objects to the share).
    Give additional users/groups permission
     to access the share.
    Press OK to close the dialog.




    Go to the Security tab to set up the
     Access Control List (ACL) for the shared
     folder.
    Press Add… to add the
     “qvsServiceAccount” domain User
     Account to the ACL.
    Give the account Full Control (needed
     for the service to add shared objects).
    Add additional users/groups to the ACL.
    If you configure subfolders, make sure the
     service account “qvsServiceAccount” has
     Full Control on the subfolders as well.




                                                      Page 17/22
Mounted Remote File shares in QlikView Server using NTFS authorization




QlikView Server and IIS configuration
If the computer account (QVS) has been trusted for delegation, you do not need to make any
additional changes to the QlikView Server service or IIS (except making sure that Integrated
Windows Authentication is enabled in IIS). The following section can then be skipped.



Using a Domain User account
If a Domain User account is to be used for the QlikView Server service and IIS Application
pool the following steps must be performed on the server (QVS):


Local permissions for the qvsServiceAccount account
Add the account which should be used to run the QlikView Server service to the following
local groups:
     Administrators
     IIS_WPG (for IIS Application Pool)


Check Local Security Policies. The Domain User account must have the following polices:
     Act as part of the operating system (if protocol transition is to be used. See
       delegation types for more info)
         or
     Impersonate a client after authentication (Administrators and IIS_WPG already got
       this policy applied)




                                                      Page 18/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Change the account for the QlikView Server service


    Open Windows Control Panel –
     Administrative Tools – Services.
     Locate the QlikView Server service.
     Right-click and select Properties.
     Go to the tab Log On and browse for
      the account to be used to run the
      service, “qvsServiceAccount”.
     Make sure you enter the correct
      password for the account and press
      OK.
     Restart the service for the changes to
      take effect.




Mount the folder in QlikView Server Management Control


        Open a web browser and type the URL to the management console on the QlikView
         Server (http://qvs.companyx.local/qvsmanagement).
        Go to the tab Folders.
        Press Add and type in a name for the share and the UNC path to the share
         (\\fs\qvshare). Do not use mapped network drives for the share!
        Check Browsable to make sure the share will show up for all users.
        Press Apply to apply the changes and restart the QlikView Server service.




                                                      Page 19/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Change the account for the Application pool in IIS


    Open Internet Information
     Services (IIS) Manager
    Expand Application Pools and
     right-click the application pool
     (DefaultAppPool if not
     configuring a separate
     application pool*). Select
     Properties.
    On the Identity tab select
     Configurable and locate the
     Domain User account
     “qvsServiceAccount” under
     which the application pool’s
     worker process should run.
    Make sure you enter the correct
     password and press OK.
    Either restart the IIS (use
     IISRESET in a Command
     Prompt) or recycle the
     application pool (right-click the
     application pool and select
     Recycle).


       *Note: You must use the same identity for all application pools within the same
       website. Web applications running under different process identities share the same
       SPN (ie http/servername) but do not run under the same account. You can not have the
       same SPN registered on multiple accounts, or Kerberos will fail.
       Look in the System log in Event Viewer for any errors from KDC or use ldifde to
       verify that all SPN’s are unique.




                                                      Page 20/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Internet Explorer on the client computer

    Make sure the URL(s) used to access the website is in the Local Intranet zone (Tools –
     Internet Options – Security).
       Kerberos is not supported in the Internet zone.




    Verify that Integrated Windows Authentication is enabled in Tools – Settings –
     Advanced. This is on by default in IE 7, but not in IE 6.




                                                      Page 21/22
Mounted Remote File shares in QlikView Server using NTFS authorization




Delegation check-list

     SPNs registered correctly on the accounts used
     If using a domain User Account
              o Account added to the local Administrators group
              o Account added to the local IIS_WPG group
              o Local policies applied
     QlikView Server service configured to run using the domain User Account
     Integrated Windows Authentication enabled in IIS (Anonymous Access disabled)
     Correct permissions on the file share
     Kerberos supported between client and front-end server.



Troubleshooting

    Check the Event Viewer for any errors from KDC, to make sure there is no collision
     between SPNs. Use ldifde to analyze SPNs if collisions occur (covered in the
     whitepaper from Microsoft, link below).
    Check the Security log in Event Viewer to verify that Kerberos is used both on the
     front-end server (QVS) and back-end server (FS), unless protocol transition is to be
     used.
               o If you see an entry by the user NT AUTHORITY\ANONYMOUS LOGON
                 on the back-end server (FS), delegation of authentication is not working, and
                 a null-user is used to access the share.
               o If you see an entry when a user log on with the authentication package
                 NTLM on the front-end server, Kerberos is not supported between the client
                 and the server.
    Use DelegConfig, an ASP.NET application for troubleshooting Kerberos and IIS.
     DelegConfig can be downloaded from
     http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1434


For more troubleshooting tips see:
Troubleshooting Kerberos Delegation
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tk
erbdel.mspx




                                                      Page 22/22

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:876
posted:3/5/2010
language:English
pages:22