1 Reply Latest reply on Aug 20, 2013 8:00 AM by jmastrianni

    FileMaker 12 Server External Authentication Problems - Mac OSX to Active Directory

    jmastrianni

      Title

      FileMaker 12 Server External Authentication Problems - Mac OSX to Active Directory

      Your post

           Hi Folks:

           I'm unable to get FileMaker Server 12 (Mac) to externally authenticate FileMaker clients to my Windows Active Directory.  The Mac is running Mac OS 10.8.4  FileMaker Server is version 12.0.4.405. 

           When my user account attempts to open a hosted FileMaker file I receive this error in the server log:  Client "Developer (COMPUTERNAME) [192.168.1.xx]" single sign-on authentication failed on database "Menu.fmp12" using "USERNAME [fmapp]".  

           I am migrating a FileMaker 9 server to FileMaker 12 and external authentication is working in FileMaker 9 (and has been for several years) to the Active Directory; albeit from a Windows XP machine as the FileMaker 9 server.  Therefore, in my mind, the variables in play in the computing environment are a Mac OS based FileMaker Server and FileMaker Server 12. 

           Here are some details about the new implementation:

           1.  The "FileMaker and external server accounts" radio button is enabled in the Database Server/Security screen of the FileMaker Server Admin Console.

           2.  The Mac server has been "bound" to the Active Directory; I am able to log into the Mac Server with Active Directory user accounts and browse the network. 

           3.  I have an Active Directory Security Group called "FM".  As a test, if I place this group name ("FM") into the User External Group field in the Authentication section of the Admin Console tab in General Settings of the FileMaker Server Admin Console and click the "Test External Group" button, the FileMaker Server responds with "Status: Validated".  This tells me that the FileMaker Server can, at some level, query the Active Domain for group names.  Additionally, in the Mac OS X terminal window, I have issued the “dscacheutil –q group” command to list all groups and users on the Active Directory and the “FM” group appears in that list.

           4. My User Account has been assigned to the "FM" security group; I have confirmed this by issuing the Net User command in the Windows 7 Command window. 

           5. I have a FileMaker Database file called Menu.fmp12 which is hosted on the Mac OS FileMaker 12 Server.  In the Security dialog box on the Accounts tab I have an account defined as "FM" with a type of External Server with the privilege set of '[Data Entry Only]”. The FM account is the first account in the authentication order.  The “Access via FileMaker Network (fmapp)” Extended Privileges checkbox has been enabled for the “[Data Entry Only]” privilege set.

           6.  The Mac OS FileMaker server does not have duplicate account names from the Active Directory. 

           7.  I noticed the group names were appearing with the domain name and a slash when I queried for groups on the Mac.  I tried making the FileMaker group name “<domain>/FM” to no avail.

           So, I’ve exhausted my knowledge on this matter. I imagine (or hope) I'm missing something silly.   Anyone have any ideas?

            

           Thanks,

           Jim M

            

            

            

            

        • 1. Re: FileMaker 12 Server External Authentication Problems - Mac OSX to Active Directory
          jmastrianni

               FileMaker Technical Support reached out to me and after we investigated the matter that Single Sign On requires a Windows OS for FileMaker server. Here's the response from FM Support:

          Thanks for waiting for me to get back with you. I found an updated guide that more clearly states that Single Sign On will require FileMaker Server to be installed on a Windows OS. Even so, you still might be able to build this functionality into the database with a Re-login startup script and capturing the user's computer login with the Get(UserName) function. Thanks again for your patience, and let me know if you have any questions.

               We already use the troi file plugin; which has a nifty function that allows you to run a system command and get the result back.  So, I've used that function to determine the user name and the Active Directory groups they have access to.