Unfortunately I have been having the same problem. I have discussed it in this thread: Re: Active Directory - Sign On
When I called FileMaker on the problem they setup a test environment and couldn't "reproduce" the issue. I was not instilled with confidence in their ability to troubleshoot this problem though. They said that they don't really support external authentication at FileMaker support.
It either works or it doesn't and you're left to fend for yourself apparently. Not quite sure why we keep spending on FM support when they give me such lovely answer. I've got a lot more useful information from others on the forums.
Yes, sreese, there is overlap.
The specific issue I see is that 'Credential Manager' and 'External Authentication (Single Sign On)' are two different things. The "Allow Credential Manager to save password" flag should have no effect at all on External Authentication. The Credential Manager should be only for storing a FileMaker Account/Password, not an AD account. This is even confirmed by the behavior of FileMaker after the "Allow" flag is turned on in a database. If the user has an AD account they never see the login dialog and no have the option to save their credentials in CM. But if you have a mixture of users (some with AD accounts and some without): you don't have an option to use External Authentication for the AD accounts AND prevent FM Account users from saving their credentials.
Maybe you or others were saying the same. If so then I'm glad to add my voice. Thanks.
I am running into the same thing. It's not as big an issue right now because everyone is in AD, but I agree that this is a problem.
1. We should be able to disallow CM to be used. Whether or not they are using AD.
2. If we turn it off, it prompts them for their login for AD, but allows them to save it in CM.
Should definitely be 2 options that can be controlled separately.
Thanks Josh and Jbardwell,
FileMaker said it works the way that we think it should in their environment to test.
We have a support agreement with them so I called them up to ask them and they said they setup a test box and it worked whether it was checked or unchecked. I'm not really certain that I agree with them on it, but they also said we don't provide support for external authentication.
So talking to them was really kind a futile effort. They couldn't really provide anything that helps. I setup a brand new network at home and the issue still persists, though I did exactly what they claimed they did and had different results.
Thank you for your posts.
The statement "Single Sign On login has higher priority over Keychain/Credential Manager support" is correct. On Windows for Single Sign On, we always ask for the login credentials, and if we get any, send them to the server to see if it can get a security context out of it.
"The "Allow Credential Manager to save password" flag should have no effect at all on External Authentication. The Credential Manager should be only for storing a FileMaker Account/Password, not an Active Directory account." This is incorrect as the Windows Credential Manager simply stores a user name and password which could of course belong to a Domain account.
Single Sign On will only work when the following conditions are used:
1. The machine where FileMaker Pro is installed is a member of a domain with a working machine account password.
2. The domain user has actively logged into the system using a domain account.
3. The FileMaker hosted solution is using an "External" group name in which the logged in user from step #2 is a member of the Domain.
4. The FileMaker solution is hosted on a Domain member machine using FileMaker Server.
With these four conditions, the user simply opens a hosted solution from "Open Remote" and is not prompted for user name and password as Single Sign On is being used from the system logon from step #2.
Hello, I can confirm that there is an undocumented behavior -- or outright bug -- just as others described above. I'm meeting all four steps that you listed, but there is a step 5 -- without this step, SSO will fail:
5. Allow Credential Manager to save password checkbox must be selected in File Options.
We use a mix of internal and external accounts, and when I noticed the "allow" option was selected, I thought someone had enabled it without asking (we have a large group of in-house devs). I thought it might be a good idea to un-check the box.
What I have since learned is that new FM14 files will have the box un-checked by default, but files created in versions prior to 14 will have it enabled by default! See:
That document makes sense, but it doesn't mention SSO at all. Probably because it shouldn't be relevant.
If this is not considered a bug, it really should be documented somewhere.
That is exactly the behavior we were running into. Several have told us that the checkbox you referenced 'should have no effect on External Authentication', but it clearly does. I ran, literally, dozens of tests and wasted nearly 45 hours dealing with it...to be told that the behavior I was seeing doesn't happen. ::shrug::
I'm sure it will be addressed now that I've chimed in.
I know the feeling Josh. I spent more than a week testing this as well. I even went so far as to create a new domain with no real customization and I still couldn't get it to work.
I even called FileMaker support on this and got no where. I've written off calling FileMaker support and just work with others here on the forums, and elsewhere to troubleshoot problems. I think when our site license expires we aren't going to include the FM support package next time.
Here are the common responses I get:
- You'll need to restart the server to fix that problem
- It's working as intended
- We can't reproduce your issue.
- And my favorite response was to this issue: "We don't provide support for external authentication".
As to this particular issue - I decided that FM was clearly wrong in their response and have gone on to mark that checkbox as was discussed earlier.
Just to make it clear, I still think the program is great, but I've found that most enhancements to the paradigm don't come from FileMaker itself, but the community who figures out ways to do things that the program wasn't designed for. (ie selector connector).
I found this in somewhere in Filemaker's online help
Single Sign-On (SSO) in FileMaker Pro 14
Answer ID: 15931Products
- FileMaker Pro
When opening a database on Windows using FileMaker Pro, Single Sign-On is expected to automatically log in to the file using your Windows user credentials under the following conditions:
- The file is hosted on FileMaker Server.
- FileMaker Server is configured to allow external authentication.
- A security account in the file is configured with an external group.
- The Windows user account you are logged in as belongs to that external group.
In FileMaker Pro 14, Single Sign-On will fail even after meeting these conditions.WORKAROUND:
- Open the file in FileMaker Pro 14.
- Go the File menu > File Options.
- Enable "Allow Credentials Manager to save password"
Note: This issue is resolved in FileMaker Pro 15.