5 Replies Latest reply on Oct 27, 2009 12:59 PM by mfbernard

    order of authentication



      order of authentication


      I need to understand at what point FileMaker needs/uses the credentials of the user: it looks like the logic/order has changed from FM9 to FM10...


      For example, we have a solution (with separation model), the guest account is active (with read-only) and it is used for opening the main file (the other files contain data and are hidden).


      We have 2 scenarios:

      1. Application is stand-alone: it now asks to enter user id and password to open the hidden files

      2. Application is hosted using Windows authentication: it does not asks for credentials


      To "manage" the stand-alone authentication, I have a login script, but it appears that it is executed after the hidden files are opened (in FM10) - I assume, because they are referred to in relationships.


      I thought of activating the guest account in the hidden files and using a re-login once the user has entered his/her credentials. This now works in the stand-alone solution, but no longer in the hosted one: the hosted files "keep" the guest credentials and it does not look like re-login works when using Windows authentication...


      If the above is not clear, it is because I am confused!


      I need to understand:

      1. If no account (guest or other) is used automatically when opening files, when there are hidden files referred to with relationships, what is the sequence used by FileMaker to open the files and establish if the user has the right credentials? 

      2. Does the sequence change whether the files are hosted or stand-alone?

      3. Is there a way to re-login when hosting files with Windows Autentication? say open the files with Guest but re-login with windows credentials...


      Or if I'm looking at this problem all wrong, any other suggestion is welcome... 


      Thanks for your thoughts,



        • 1. Re: order of authentication

          I'm not aware of any differences between FMP 9 and FMP 10 in how account names and passwords are used to open FMP files.


          As far as I know, (and my experience goes back to FMP 2.5), the following scenario governs how filemaker opens a password protected database file via a relationship reference:


          1) if the file to opened has an account name/password identical to the account name/password used to open the first file, the related file is automatically opened without bringing up the Log In dialog.

          2) If the file does not have a matching account name/password, (and password is case sensitive), Filemaker will pop-up the log in dialog.


          If you use the Open File script step, you will always get the Log In dialog, unless the file has already been opened via 1) above. If it's already open, then the file's window is unhidden and brought to the front without asking for an account name/password.

          • 2. Re: order of authentication

            Hello Phil,


            I would not have suspected that there was a difference between 9 and 10 until I tried to open with FM10... In FM9, we are not prompted with a Log in dialog (whether stand-alone or hosted) - it "waits" for the login script. In FM9 the right permissions were applied. It makes me think that I might have been lucky that it has worked up until now!


            All the files have the same accounts and privileges and they are in-sync, except for the main visible file that has "guest" active and it is being opened automatically with guest.


            From your explanation, having guest in the first file might be the reason why it is trying to open the other files using guest?


            Can you tell if having relationships in the first files "forces" the "referred" files to be opened when the solution launches? I thought (back with FM9 and before) that the other files weren't "opened" until a screen or a script referring to the related tables/data were displayed or used...It would then use the credentials of the first file.


            Still puzzled...

            • 3. Re: order of authentication

              From your explanation, having guest in the first file might be the reason why it is trying to open the other files using guest?


              That's exactly why.


              I'm thinking your solution may have always opened the files in this way and in this sequence. Then your "login" script that you mention would actually have been simply bringing the window up of a file that had already been opened. I could easily be wrong about that as I don't know how you wrote that script.


              I skipped FMP 9, so I don't have a copy to test. I have observed that FMP 10 appears to re-open related files under circumstances where they did not in much older (fmp 5.5) versions. I'm still investigating this to see if it's a conversion issue or if brand new files exhibit the same behavior--so there might be a difference between FMP 9 and 10--though no one has reported such.

              • 4. Re: order of authentication

                Thanks for taking time to respond so far.


                Here is another specific question around hosted files using windows autenthication:

                If by default a file should use guest when opening the file, will windows authentication be ignored?

                and a sub-question: Is there a script or setting to re-login using windows credentials?

                (without the user intervention)


                Is there is a way, I might have this thing working again...

                • 5. Re: order of authentication

                  After much testing, it looks like in FileMaker 10 (in a separation model setup, hosted):


                  • if "Guest" is used to open a file (File options), it takes priority over windows authentication...
                    when the file is hidden (opened via a relationship or opened hidden) ie no matter what, guest is the user as long as the hidden file is opened
                    • if the file is the main file of the application and is explicitely opened, then guest is no longer used in priority - windows credentials are used.


                    For my situation here is what I had to put in place:


                    for my 2 hidden files :

                    - activate Guest with read-only privileges

                    - in file options: 

                    - do not use Guest or any user account to open the file

                    - use the login script (shown here)


                    If ( Get ( MultiUserState ) = 2 ) /* if hosted, don't do anything */


                       If ( not ( IsEmpty ( xxx:gAccountName ) or (IsEmpty ( xxx:gPassword ) )

                          Set Error Capture [On]

                          Re-Login ( Account Name : xxx:gAccountName ; Password : xxx:gPassword ; NoDialog )

                          Exit Script [ Result: Get ( LastError ) ]


                          /* if the user name and pwd have not been entered yet, use Guest */

                          Re-Login ( Account Name : "Guest" ; NoDialog )

                          Exit Script [ Result: -1 ]




                    The main file of the application does open with Guest and runs a login script right away: this login script checks if the application is hosted, if so it skips the rest. If it's stand-alone, it shows a dialog to let the user enter the user information (in xxx:gAccountName and xxx:gPassword) and validates. If the files are not hosted, the script continues by closing the hidden files and re-opening them - now using the newly entered credentials.


                    I may delude myself in thinking this is how to fix the problem (just a lucky break?) but I've tested both as stand-alone and hosted (with windows authentication) on a FM8 server, a test FM9 server, and using FM8.5, FM9 and FM10 clients, and it looks like it's a go.


                    I know that no one has reported a difference of how user authentication works in FM10, but I know that it didn't with a setup that did work with earlier versions...

                    I found that using Guest to open a file works differently whether the file is hosted or not, and whether the file is hidden or not: and I found that using a login script at file opening to re-login is required in a stand-alone environment (or hosted without external server accounts)


                    Please comment if any of the above is incorrect, otherwise maybe someone else can benefit ... if stuck in a similar corner.