FileMaker 12 Server External Authentication Problems - Mac OSX to Active Directory
I'm unable to get FileMaker Server 12 (Mac) to externally authenticate FileMaker clients to my Windows Active Directory. The Mac is running Mac OS 10.8.4 FileMaker Server is version 220.127.116.115.
When my user account attempts to open a hosted FileMaker file I receive this error in the server log: Client "Developer (COMPUTERNAME) [192.168.1.xx]" single sign-on authentication failed on database "Menu.fmp12" using "USERNAME [fmapp]".
I am migrating a FileMaker 9 server to FileMaker 12 and external authentication is working in FileMaker 9 (and has been for several years) to the Active Directory; albeit from a Windows XP machine as the FileMaker 9 server. Therefore, in my mind, the variables in play in the computing environment are a Mac OS based FileMaker Server and FileMaker Server 12.
Here are some details about the new implementation:
1. The "FileMaker and external server accounts" radio button is enabled in the Database Server/Security screen of the FileMaker Server Admin Console.
2. The Mac server has been "bound" to the Active Directory; I am able to log into the Mac Server with Active Directory user accounts and browse the network.
3. I have an Active Directory Security Group called "FM". As a test, if I place this group name ("FM") into the User External Group field in the Authentication section of the Admin Console tab in General Settings of the FileMaker Server Admin Console and click the "Test External Group" button, the FileMaker Server responds with "Status: Validated". This tells me that the FileMaker Server can, at some level, query the Active Domain for group names. Additionally, in the Mac OS X terminal window, I have issued the “dscacheutil –q group” command to list all groups and users on the Active Directory and the “FM” group appears in that list.
4. My User Account has been assigned to the "FM" security group; I have confirmed this by issuing the Net User command in the Windows 7 Command window.
5. I have a FileMaker Database file called Menu.fmp12 which is hosted on the Mac OS FileMaker 12 Server. In the Security dialog box on the Accounts tab I have an account defined as "FM" with a type of External Server with the privilege set of '[Data Entry Only]”. The FM account is the first account in the authentication order. The “Access via FileMaker Network (fmapp)” Extended Privileges checkbox has been enabled for the “[Data Entry Only]” privilege set.
6. The Mac OS FileMaker server does not have duplicate account names from the Active Directory.
7. I noticed the group names were appearing with the domain name and a slash when I queried for groups on the Mac. I tried making the FileMaker group name “<domain>/FM” to no avail.
So, I’ve exhausted my knowledge on this matter. I imagine (or hope) I'm missing something silly. Anyone have any ideas?