4 Replies Latest reply on Nov 22, 2010 11:50 AM by JasperStoodley

    Cannot get SSO working on Windows XP SP3

    JasperStoodley

      Title

      Cannot get SSO working on Windows XP SP3

      Your post

      I cannot get SSO to work properly on our FileMaker Pro 11v2 clients running Windows XP (SP3) that connect to a variety of remote databases on my FileMaker 11v2 Advanced Server (running Windows 2003 Std).

      The problem is that despite having an SSO setup, the end user is prompted twice for their username/password before they can access any given database. With FileMaker Pro 11 clients on Window 7 Pro, the SSO works just fine, so I believe that rules out my server-side setup.


      Background Info:
      ----------------------------------

      In the FileMaker Server Admin Console, I have the “List only the databases each user is authorized to access” option selected under “File Display Filter” under the Database Server > Security tab.

      The environment is a university with a large Windows active directory and I am using the university-wide domain controllers for authentication. All my servers and desktops are members of the same domain.

      FileMaker Pro 10 clients are also affected by the same issue.

      I also had this problem with FileMaker Server Advanced version 10 and was hoping upgrading to 11 would fix the issue.

      FileMaker Server event log reports:
      Information 730
      Client "username (source-computer-name) [source-computer-ip]" single sign-on authentication failed on database "XXXX.fp7" using "username [fmapp]".

      The problem is best described by KB article answer id 6938 but it doesn't appear to apply to versions 10 or 11 - http://help.filemaker.com/app/answers/detail/a_id/6938/~/windows-xp-sp3-forced-client-authentication-when-server-display-filter-set-for

        • 1. Re: Cannot get SSO working on Windows XP SP3
          philmodjunk

          In FileMaker help, there's an article titled: "Creating accounts that authenticate via an external server"

          Have you followed the steps as outlined in that article?

          • 2. Re: Cannot get SSO working on Windows XP SP3
            JasperStoodley

            Hi PhilModJunk,

            Yes, I am familiar with that article. Two points:

            1) My externally authenticated accounts do work, just not via single sign-on. Instead, the externally authenticated accounts (and filemaker accounts such as Admin for that matter) must enter their username and password twice in order to authenticate (presumably once to view the list of databases they are allowed to access and the sencond time to actually open the desired database)

            2) Single-sign on works from Windows 7 Pro operating systems, so once the user is logged into the computer with their active directory credentials they can just 'open remote' in filemaker, select the server, then the database they want and open it without being prompted for a username/password.

            • 3. Re: Cannot get SSO working on Windows XP SP3
              JasperStoodley

              Some additional information:

              1) SSO also does not work on a clean Windows XP SP2 (no other applications, updates) installation with FileMaker Pro 11v2

              2) SSO works fine on a clean Windows 7 Pro (64bit) installation with FileMaker Pro 11v2 (my other Win7 machines are 32-bit and they work fine as well)

              3) The issue is not database specific. SSO does not work if I created a blank/empty database with only a single account matching an AD group for external authentication

              I actually already called paid tech support regarding this issue and they weren't all that helpful. They suggested that I post to this forum as I would be able to contact the Filemaker developers most familiar with SSO directly.

              • 4. Re: Cannot get SSO working on Windows XP SP3
                JasperStoodley

                I have finally figured out the problem!

                Our servers have been hardened via various group policy settings, including the following one:

                Network security: LAN Manager authentication level

                Our server setting: 

                Send NTLMv2 response only: Clients use NTLMv2  authentication only and use NTLMv2 session security if the server  supports it; domain controllers accept LM, NTLM, and NTLMv2  authentication.

                Our clent setting:

                no setting applied, defaults to:

                Send NTLM response only: Clients use NTLM  authentication only and use NTLMv2 session security if the server  supports it; domain controllers accept LM, NTLM, and NTLMv2  authentication.

                While this works for Windows network resources, e.g. network drives and printers, it cause problems for FileMaker SSO.

                By changing the client setting, via GPO as follows, FileMaker SSO works properly again:

                Send NTLMv2 response only: Clients use NTLMv2  authentication only and use NTLMv2 session security if the server  supports it; domain controllers accept LM, NTLM, and NTLMv2  authentication.