0 Replies Latest reply on Jul 12, 2010 7:48 AM by cah190

    External Server Authentication using AD with Kerberos Trust

    cah190

      Title

      External Server Authentication using AD with Kerberos Trust

      Your post

      I am trying to get FileMaker Server 11 Advanced to authenticate against our Active Directory which has a trust to a MIT Kerberos v5 realm.  All of our users have shadow accounts in the ACCESS Active Directory and authenticate via accounts maintained in the Kerberos realm dce.psu.edu (the name contains dce for historical reasons).

      So far I have been unable to make FileMaker and IWP clients authenticate.  Oddly, Administrator Groups using external groups can successfully authenticate.

      The server is running Windows Server 2003 R2 with all updates (I have also tried the latest Server 2008 build with identical results).  The system is bound to the ACCESS AD and has appropriate registry settings to authenticate users against the dce.psu.edu K5 realm.  The system account has been trusted for delegated authentication (which is the configuration change that made the Administrator Groups with external groups start functioning).

      I have been trying to log on via FileMaker Pro and IWP using bare user names (cah190), K5-style user names (cah190@dce.psu.edu), and NT-style user names (dce.psu.edu\cah190).  Both the K5 and NT variants work fine for Administrator Group logins.

      Here is a typical authentication failure we are seeing when attempting to log in via a FileMaker Pro client as cah190@dce.psu.edu:

      Event Type:    Failure Audit
      Event Source:    Security
      Event Category:    Logon/Logoff
      Event ID:    529
      Date:        7/8/2010
      Time:        3:15:59 PM
      User:        NT AUTHORITY\SYSTEM
      Computer:    CHEMFILEMAKER
      Description:
      Logon Failure:
           Reason:        Unknown user name or bad password
           User Name:    cah190
           Domain:        dce.psu.edu
           Logon Type:    3
           Logon Process:    Advapi  
           Authentication Package:    Negotiate
           Workstation Name:    CHEMFILEMAKER
           Caller User Name:    CHEMFILEMAKER$
           Caller Domain:    ACCESS
           Caller Logon ID:    (0x0,0x3E7)
           Caller Process ID:    1760
           Transited Services:    -
           Source Network Address:    -
           Source Port:    -
           
      It looks very similar to a failed login via the administration tool with a mistyped password:

      Event Type:    Failure Audit
      Event Source:    Security
      Event Category:    Logon/Logoff
      Event ID:    529
      Date:        7/8/2010
      Time:        3:28:38 PM
      User:        NT AUTHORITY\SYSTEM
      Computer:    CHEMFILEMAKER
      Description:
      Logon Failure:
           Reason:        Unknown user name or bad password
           User Name:    cah190
           Domain:        dce.psu.edu
           Logon Type:    2
           Logon Process:    Advapi  
           Authentication Package:    Negotiate
           Workstation Name:    CHEMFILEMAKER
           Caller User Name:    CHEMFILEMAKER$
           Caller Domain:    ACCESS
           Caller Logon ID:    (0x0,0x3E7)
           Caller Process ID:    1940
           Transited Services:    -
           Source Network Address:    -
           Source Port:    -

      The only significant difference I can discern is the Logon Type is 3 (network logon) for FM Pro/IWP clients, but 2 (interactive logon) for Administrator connections.  Also, doing a packet trace I can see that the K5 DCs are never consulted for FM Pro/IWP clients, but are consulted for administrator connections.

      Here is a successful authentication for cah190@dce.psu.edu via the administration tool.

      Event Type:    Success Audit
      Event Source:    Security
      Event Category:    Logon/Logoff
      Event ID:    528
      Date:        7/8/2010
      Time:        3:14:38 PM
      User:        ACCESS\cah190
      Computer:    CHEMFILEMAKER
      Description:
      Successful Logon:
           User Name:    cah190
           Domain:        ACCESS
           Logon ID:        (0x0,0x617C9)
           Logon Type:    2
           Logon Process:    Advapi  
           Authentication Package:    Negotiate
           Workstation Name:    CHEMFILEMAKER
           Logon GUID:    {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
           Caller User Name:    CHEMFILEMAKER$
           Caller Domain:    ACCESS
           Caller Logon ID:    (0x0,0x3E7)
           Caller Process ID: 1940
           Transited Services: -
           Source Network Address:    -
           Source Port:    -

      Is there anything I can change on my end to make the FM Pro/IWP logins happen in the same way as the administrator logins?  If not, what are the chances of having the necessary changes made in FileMaker Server to make the external authentication work for the FM Pro/IWP case?

      I'm guessing the difference is in the logon type being requested by FileMaker Server, since an interactive (type 2) logon probably activates the Windows authentication login logic necessary to get the Kerberos ticket.  I'm also guessing the network logons (type 3) are a lot faster and work for pure AD environments, but are not sufficient in my scenario with the K5 trust.  A registry setting or checkbox to control which logon type is used would be helpful, if this is the problem.

      I'm open to any suggestions on things to try on my end, though since the administrator logins work, I'm starting to think the problem must lie in how FileMaker Server handles client logins.

      Thanks in advance for any suggestions,
      Craig