1 Reply Latest reply on Nov 22, 2010 11:51 AM by JasperStoodley

    Cannot get SSO working on Windows XP SP3

    JasperStoodley

      Summary

      Cannot get SSO working on Windows XP SP3

      Product

      FileMaker Server

      Version

      11

      Operating system version

      Windows (Windows XPSP3 and Windows Server 2003 Std)

      Description of the issue

      I cannot get SSO to work properly on our Windows XP (SP3) clients that connect to a variety of remote databases on my FileMaker 11 Advanced Server (running Windows 2003 Std).

      The problem is that despite having an SSO setup, the end user is prompted twice for their username/password before the can access any given database. On Window 7 Pro clients, the SSO works just fine, so I believe that rules out my server-side setup.


      Background Info:
      ----------------------------------

      In the FileMaker Server Admin Console, I have the “List only the databases each user is authorized to access” option selected under “File Display Filter” under the Database Server > Security tab.

      The environment is a university with a large Windows active directory and I am using the university-wide domain controllers for authentication. All my servers and desktops are members of the same domain.

      FileMaker Pro 10 clients are also affected by the same issue.

      I also had this problem with FileMaker Server Advanced version 10 and was hoping upgrading to 11 would fix the issue.

      FileMaker Server event log reports:
      Information 730
      Client "username (source-computer-name) [source-computer-ip]" single sign-on authentication failed on database "XXXX.fp7" using "username [fmapp]".

      The problem is best described by KB article answer id 6938 but it doesn't appear to apply to versions 10 or 11 - http://help.filemaker.com/app/answers/detail/a_id/6938/~/windows-xp-sp3-forced-client-authentication-when-server-display-filter-set-for

        • 1. Re: Cannot get SSO working on Windows XP SP3
          JasperStoodley

          I have finally figured out the problem!

          Our servers have been hardened via various group policy settings, including the following one:

          Network security: LAN Manager authentication level

          Our server setting: 

          Send NTLMv2 response only: Clients use NTLMv2  authentication only and use NTLMv2 session security  if the server  supports it; domain controllers accept LM, NTLM, and  NTLMv2  authentication.

          Our clent setting:

          no setting applied, defaults to:

          Send NTLM response only: Clients use NTLM  authentication only and use NTLMv2 session security  if the server  supports it; domain controllers accept LM, NTLM, and  NTLMv2  authentication.

          While this works for Windows network resources, e.g. network drives and printers, it cause problems for FileMaker SSO.

          By changing the client setting, via GPO as follows, FileMaker SSO works properly again:

          Send NTLMv2 response only: Clients use NTLMv2  authentication only and use NTLMv2 session security  if the server  supports it; domain controllers accept LM, NTLM, and  NTLMv2  authentication.