10 Replies Latest reply on Jul 26, 2017 4:43 AM by Fred(CH)

    External authentification on FM11 Admin Console

    Fred(CH)

      Hello there,

       

      My customer is able to logging onto FM11 Admin Console using External authentification BUT only using an account that have the Administrator privileges upon the FileMaker Server Windows machine.

       

      Is this limitation "as expected" or not ?

       

      Thanks in advance...

       

      Bye, Fred

        • 1. Re: External authentification on FM11 Admin Console
          wimdecorte

          Windows or Mac?

          AD / OD or local groups?

          • 2. Re: External authentification on FM11 Admin Console
            Fred(CH)

            Hi Wim,

             

            Thank you very much for answering.

             

            Windows + AD

             

            I have not much more info at this time but i can grab more if needed !

             

            Fred

            • 3. Re: External authentification on FM11 Admin Console
              wimdecorte

              So the group that you have specified for admin access to the console is an AD group right?  What OS is the server?

              • 4. Re: External authentification on FM11 Admin Console
                Fred(CH)

                Yes : AD group.

                 

                For the OS i am almost sure it is a Windows 2008 Server but i can verify that latter more accurately.

                • 5. Re: External authentification on FM11 Admin Console
                  Fred(CH)

                  More detailed information :

                   

                  CONFIGURATION :

                  • Windows Server 2008 R2 Standard
                  • FileMaker Server 11 Advanced – Version 11.0.3.309
                  • Java Version 8 Update 31 (build 1.8.0_31-b13)
                  • Both accounts are members of the AD group which is specified and validated within admin console preferences

                   

                  PROBLEM :

                  The first account which can be authentificated by Admin Console is member of ADMINISTRATORS on the FileMaker Server machine, whereas the second is only member of  POWER USERS and fails to connect to Admin Console ("Invalid name or password").

                   

                  Theses tests were made locally on the machine server, and also from a remote client, with the exact same results. If the second account is then included as a part of ADMINISTRATORS, a following attempt is successful.

                   

                  QUESTION :

                  Is it as expected ? From my customers' IT engineer point of view, it make no sense to do so; He is asking if there are intermediate rights upon any specific file/folders needed (or any registry key) ?

                   

                  NOTE :

                  Not any entry were found within the log of FileMaker Server about these failing attempts; However, if the Admin account try with a wrong password an according entry is well made.

                  • 6. Re: External authentification on FM11 Admin Console
                    wimdecorte

                    I don't recall that being a requirement.   First thing to try would be to update to v5, which was the last patch for FMS11.

                     

                    Is the FMS service itself running as the default (local system) or has that been changed to an AD service account?

                    Not sure I understand the question bout the intermediate rights for files and folders, or what kind of registry key he would want to look for.

                     

                    On the logs: you should see something in the Windows Security Log I imagine (a failure audit entry).

                    • 7. Re: External authentification on FM11 Admin Console
                      Fred(CH)

                      Thanks !

                       

                      Yes i will ask for the v5 update to pass; let's see, but OTOH they have planned to upgrade to FileMaker 14 on 2016 and it is not a critical issue, more a convenience one. Also their IT decisional workflow are heavy and slow because they are a part of State Administration.

                       

                      Good question also about the FMS Service; but i am curious which option would be the better one from your point of vue ? AD Service account ?

                       

                      About "intermediate rights" which was bad formed words (sorry), he probably meant if it can make a difference if the user have for instance writing authorization upon FileMaker Server folder (as an example).

                      • 8. Re: External authentification on FM11 Admin Console
                        wimdecorte

                        Fred(CH) wrote:

                         

                        Good question also about the FMS Service; but i am curious which option would be the better one from your point of vue ? AD Service account ?

                         

                         

                        The only place where it makes a difference is if you have FMS server-side schedules that need to touch network shares outside of the FMS machine.  Then the default "local system" may not always ben enough and an AD service account with the proper rights has to be used.

                        • 9. Re: External authentification on FM11 Admin Console
                          tris

                          Hi,

                           

                          We experience the same Problem as Fred described. If we add an AD-Group as an administrative group, we can successfully validate the Group in the admin console. But we fail to access the group console from another client until we add the AD-Group to the Administrator Group on the Windows Server. From the security point of view this is far form ideal.

                          We are in contact with Filemaker Support, but it wasn't that successful until now.

                           

                          We use Windows Server 2012 R2, FM Server15.0.1.137 (Default - local System) and Windows 7 Clients.

                           

                          If some one has a hint we would appreciate it. I'll post if we get some usefull inforamtion from the Support.

                           

                          Thanks & bye

                          felix

                          • 10. Re: External authentification on FM11 Admin Console
                            Fred(CH)

                            Hi tris,

                             

                            I was unable to move this thread to the Report a Product Issue section so i added a report.

                             

                            Bye, Fred