4 Replies Latest reply on Jan 19, 2016 11:51 AM by TSGal

    How does FileMaker Server v13 Web Publishing use Kerberos (SSO) and Open Directory?

    drowland@una.ab.ca

      FileMaker Server 13.0.9.905

      OS X 10.10.5 (Server) and OS X 10.10 - 10.11 (Clients)

      Description: Our Open Directory server is seeing requests for kerberos service tickets when users log into FileMaker.

      FileMaker Server using External Authentication and is anonymously bound to Open Directory.

       

      When web users are logging in, we're seeing requests for kerberos (SSO) service tickets from the FileMaker Server to the Open Directory Server. This does not occur when FM Client users log in.

       

      12/11/2015 9:22:33.779 AM kdc[92]: TGS-REQ webUsername@openDirectoryServer.UNA.AB.CA from filemakerServer:64833 for host/fileMakerServer.una.ab.ca@openDirectoryServer.UNA.AB.CA [forwardable]

       

      TGS-REQ = request from the client for service granting ticket (service presumably the web service not filemaker)

      host/fileMakerServer.una.ab.ca@openDirectoryServer.UNA.AB.CA = this is the service ticket the client is asking for

       

      We are under the assumption that Kerberos (SSO) only works between Windows clients and Active Directory, however this appears to be related to the Web Publishing engine, not client <--> server connections.

        • 1. Re: How does FileMaker Server v13 Web Publishing use Kerberos (SSO) and Open Directory?
          drowland@una.ab.ca

          Bump.

           

          This isn't isolated to Web Publishing. It seems that FMS is requesting Kerberos tickets when FM Client users log in.

          • 2. Re: How does FileMaker Server v13 Web Publishing use Kerberos (SSO) and Open Directory?
            TSGal

            drowland:

             

            Thank you for your post.

             

            Here is some information that may help and how Single Sign-On of a Windows client to a Windows FileMaker Server works:

             

            When a user logins to the Windows domain on their computer, they receive a security token (usually Kerberos).  When that user starts FileMaker Pro and tries to open a database hosted on FileMaker Server, the security token is obtained and sent to FileMaker Server.  FileMaker Server will then attempt to verify the security token with the domain controller for the machine running FileMaker Server.  Once the token is verified (which may require a round trip back to the client), FileMaker Server obtains the list of domain groups that the user belongs to.  FileMaker Server then compares the user's list of domain groups with the external authentication accounts in the database and finds the first match (if any).  If a match is found, the user gets the privilege set associated with the first matching external account, and the database file opens.  So, in order to make external authentication work with Single Sign-On, the Windows client machines and the FileMaker Server machine need to be joined to the same domain, or potentially the same domain forest.

             

            Here is the Microsoft Technet "Domain and Forest Trust Technical Reference" link:

            https://technet.microsoft.com/en-us/library/cc738955(v=ws.10).aspx

             

            If the Windows client isn't signed into the domain, or is a non-Windows client, they enter login credentials in FileMaker Pro which FileMaker Server will attempt to verify with its domain controller.  In that case, the domain membership of the client machine does not matter.

             

            TSGal

            FileMaker, Inc.

             

            • 3. Re: How does FileMaker Server v13 Web Publishing use Kerberos (SSO) and Open Directory?
              drowland@una.ab.ca

              Thanks for the reply. This issue and question were for OS X not Windows. I know the documentation states that Kerberos/SSO is not supported under OS X.... but we continue to see service ticket requests coming from the FileMaker Servers to our authentication server.

              • 4. Re: How does FileMaker Server v13 Web Publishing use Kerberos (SSO) and Open Directory?
                TSGal

                drowland:

                 

                My apologies for not reading your initial posting thoroughly.

                 

                Apple Open Directory does use Kerberos.  If you want a high-level explanation, see:

                https://en.wikipedia.org/wiki/Apple_Open_Directory

                 

                FileMaker Server may use Open Directory to do authentication if the Server Admin has selected "FileMaker and external server accounts."  However, this also depends on what accounts the clients are entering when they log into the hosted file.  If the FileMaker Pro clients are using FileMaker accounts or OS X accounts defined on the Server machine, Open Directory would never be checked in those cases.

                 

                From your description, it sounds like the interface used by FileMaker Server to do authentication of FileMaker Pro clients may be different than those done for web clients by the Apache web server (used by FileMaker Server), so FileMaker Pro client authentication won't show up as Kerberos ticket requests.  I have a sent a request to Development and Testing for more specific information and verification.

                 

                I found some additional detailed information on Open Directory in the Apple Developer Library website:

                Concepts

                 

                TSGal

                FileMaker, Inc.