10 Replies Latest reply on Sep 20, 2016 9:41 AM by jdevans

    External Authentication (SSO) ignored by FM 14 client in some databases

    jbardwell

      Product and version

      FileMaker Pro Advanced 14 (subversion varies) connecting to database hosted on FMS 14 (subversion varies)

       

      OS and version

      Windows 8.1 for client and Windows Server 2008 R2 for host. Probably true of other Windows versions as well.

       

      Browser and version

      NA

       

      Description

      For some databases found that users are prompted to authenticate with External AD accounts. On the same server, with the same AD Security account in both, new databases created from scratch (nothing in them) prompt users to authenticate while 'legacy' databases, created in pre-14 versions of FM (and hosted on the server when it was upgraded to FMS14), do not prompt users (at least for those tested, and toggling "Allow Credential Manager to save password" ends up also requiring the workaround below).

       

      Even though KB says "Single Sign On login has higher priority over Keychain/Credential Manager support." (see Keychain and Windows Credentials Support | FileMaker) it appears in Windows that this may not always be the case.

       

      How to replicate

      1. Create new empty solution in FM14
      2. Upload to FMS14
      3. In Security create a valid AD external account that current user has access to
      4. Close the database
      5. Reopen database and user is prompted to authenticate. The expected behavior is that Users with valid AD accounts should not have to enter credentials.

       

      Workaround

      • Checking File Options... > Open > "Allow Credential Manager to save password": the FM client uses AD external authentication and progresses without prompting for credentials.
        • 1. Re: External Authentication (SSO) ignored by FM 14 client in some databases
          sreese

          Unfortunately I have been having the same problem. I have discussed it in this thread: Re: Active Directory - Sign On

           

          When I called FileMaker on the problem they setup a test environment and couldn't "reproduce" the issue. I was not instilled with confidence in their ability to troubleshoot this problem though. They said that they don't really support external authentication at FileMaker support.

           

          It either works or it doesn't and you're left to fend for yourself apparently. Not quite sure why we keep spending on FM support when they give me such lovely answer. I've got a lot more useful information from others on the forums.

          • 2. Re: External Authentication (SSO) ignored by FM 14 client in some databases
            jbardwell

            Yes, sreese, there is overlap.

             

            The specific issue I see is that 'Credential Manager' and 'External Authentication (Single Sign On)' are two different things. The "Allow Credential Manager to save password" flag should have no effect at all on External Authentication. The Credential Manager should be only for storing a FileMaker Account/Password, not an AD account. This is even confirmed by the behavior of FileMaker after the "Allow" flag is turned on in a database. If the user has an AD account they never see the login dialog and no have the option to save their credentials in CM. But if you have a mixture of users (some with AD accounts and some without): you don't have an option to use External Authentication for the AD accounts AND prevent FM Account users from saving their credentials.

             

            Maybe you or others were saying the same. If so then I'm glad to add my voice. Thanks.

            • 3. Re: External Authentication (SSO) ignored by FM 14 client in some databases
              jormond

              I am running into the same thing. It's not as big an issue right now because everyone is in AD, but I agree that this is a problem.

               

              1. We should be able to disallow CM to be used. Whether or not they are using AD.

              2. If we turn it off, it prompts them for their login for AD, but allows them to save it in CM.

               

              Should definitely be 2 options that can be controlled separately.

              • 4. Re: External Authentication (SSO) ignored by FM 14 client in some databases
                sreese

                Thanks Josh and Jbardwell,

                 

                FileMaker said it works the way that we think it should in their environment to test.

                 

                We have a support agreement with them so I called them up to ask them and they said they setup a test box and it worked whether it was checked or unchecked. I'm not really certain that I agree with them on it, but they also said we don't provide support for external authentication.

                 

                So talking to them was really kind a futile effort. They couldn't really provide anything that helps. I setup a brand new network at home and the issue still persists, though I did exactly what they claimed they did and had different results.

                • 5. Re: External Authentication (SSO) ignored by FM 14 client in some databases
                  TSGal

                  All:

                   

                  Thank you for your posts.

                   

                  The statement "Single Sign On login has higher priority over Keychain/Credential Manager support" is correct.  On Windows for Single Sign On, we always ask for the login credentials, and if we get any, send them to the server to see if it can get a security context out of it.

                   

                  "The "Allow Credential Manager to save password" flag should have no effect at all on External Authentication.  The Credential Manager should be only for storing a FileMaker Account/Password, not an Active Directory account."  This is incorrect as the Windows Credential Manager simply stores a user name and password which could of course belong to a Domain account.

                   

                  Single Sign On will only work when the following conditions are used:

                  1. The machine where FileMaker Pro is installed is a member of a domain with a working machine account password.

                  2. The domain user has actively logged into the system using a domain account.

                  3. The FileMaker hosted solution is using an "External" group name in which the logged in user from step #2 is a member of the Domain.

                  4. The FileMaker solution is hosted on a Domain member machine using FileMaker Server.

                   

                  With these four conditions, the user simply opens a hosted solution from "Open Remote" and is not prompted for user name and password as Single Sign On is being used from the system logon from step #2.

                   

                  TSGal

                  FileMaker, Inc.

                  • 6. Re: External Authentication (SSO) ignored by FM 14 client in some databases
                    fitch

                    Hello, I can confirm that there is an undocumented behavior -- or outright bug -- just as others described above. I'm meeting all four steps that you listed, but there is a step 5 -- without this step, SSO will fail:

                     

                    5. Allow Credential Manager to save password checkbox must be selected in File Options.

                     

                    We use a mix of internal and external accounts, and when I noticed the "allow" option was selected, I thought someone had enabled it without asking (we have a large group of in-house devs). I thought it might be a good idea to un-check the box.

                     

                    What I have since learned is that new FM14 files will have the box un-checked by default, but files created in versions prior to 14 will have it enabled by default! See:

                    Keychain and Windows Credentials Support | FileMaker

                     

                    That document makes sense, but it doesn't mention SSO at all. Probably because it shouldn't be relevant.

                    If this is not considered a bug, it really should be documented somewhere.

                    • 7. Re: External Authentication (SSO) ignored by FM 14 client in some databases
                      jormond

                      fitch,

                      That is exactly the behavior we were running into. Several have told us that the checkbox you referenced 'should have no effect on External Authentication', but it clearly does. I ran, literally, dozens of tests and wasted nearly 45 hours dealing with it...to be told that the behavior I was seeing doesn't happen. ::shrug::

                      • 8. Re: External Authentication (SSO) ignored by FM 14 client in some databases
                        fitch

                        I'm sure it will be addressed now that I've chimed in.

                        • 9. Re: External Authentication (SSO) ignored by FM 14 client in some databases
                          sreese

                          I know the feeling Josh. I spent more than a week testing this as well. I even went so far as to create a new domain with no real customization and I still couldn't get it to work.

                           

                          I even called FileMaker support on this and got no where. I've written off calling FileMaker support and just work with others here on the forums, and elsewhere to troubleshoot problems. I think when our site license expires we aren't going to include the FM support package next time.

                           

                          Here are the common responses I get:

                          • You'll need to restart the server to fix that problem
                          • It's working as intended
                          • We can't reproduce your issue.
                          • And my favorite response was to this issue: "We don't provide support for external authentication".

                           

                          As to this particular issue - I decided that FM was clearly wrong in their response and have gone on to mark that checkbox as was discussed earlier.

                           

                          Just to make it clear, I still think the program is great, but I've found that most enhancements to the paradigm don't come from FileMaker itself, but the community who figures out ways to do things that the program wasn't designed for. (ie selector connector).

                          • 10. Re: External Authentication (SSO) ignored by FM 14 client in some databases
                            jdevans

                            I found this in somewhere in Filemaker's online help

                             

                             

                            Single Sign-On (SSO) in FileMaker Pro 14

                             

                             

                            Answer ID: 15931

                            Products
                            • FileMaker Pro
                            •    14.x

                             

                            When opening a database on Windows using FileMaker Pro, Single Sign-On is expected to automatically log in to the file using your Windows user credentials under the following conditions:

                            • The file is hosted on FileMaker Server.
                            • FileMaker Server is configured to allow external authentication.
                            • A security account in the file is configured with an external group.
                            • The Windows user account you are logged in as belongs to that external group.
                            ISSUE:
                            In FileMaker Pro 14, Single Sign-On will fail even after meeting these conditions.
                            WORKAROUND:
                            1. Open the file in FileMaker Pro 14.
                            2. Go the File menu > File Options.
                            3. Enable "Allow Credentials Manager to save password"

                            Note: This issue is resolved in FileMaker Pro 15.