This isn't isolated to Web Publishing. It seems that FMS is requesting Kerberos tickets when FM Client users log in.
Thank you for your post.
Here is some information that may help and how Single Sign-On of a Windows client to a Windows FileMaker Server works:
When a user logins to the Windows domain on their computer, they receive a security token (usually Kerberos). When that user starts FileMaker Pro and tries to open a database hosted on FileMaker Server, the security token is obtained and sent to FileMaker Server. FileMaker Server will then attempt to verify the security token with the domain controller for the machine running FileMaker Server. Once the token is verified (which may require a round trip back to the client), FileMaker Server obtains the list of domain groups that the user belongs to. FileMaker Server then compares the user's list of domain groups with the external authentication accounts in the database and finds the first match (if any). If a match is found, the user gets the privilege set associated with the first matching external account, and the database file opens. So, in order to make external authentication work with Single Sign-On, the Windows client machines and the FileMaker Server machine need to be joined to the same domain, or potentially the same domain forest.
Here is the Microsoft Technet "Domain and Forest Trust Technical Reference" link:
If the Windows client isn't signed into the domain, or is a non-Windows client, they enter login credentials in FileMaker Pro which FileMaker Server will attempt to verify with its domain controller. In that case, the domain membership of the client machine does not matter.
Thanks for the reply. This issue and question were for OS X not Windows. I know the documentation states that Kerberos/SSO is not supported under OS X.... but we continue to see service ticket requests coming from the FileMaker Servers to our authentication server.
My apologies for not reading your initial posting thoroughly.
Apple Open Directory does use Kerberos. If you want a high-level explanation, see:
FileMaker Server may use Open Directory to do authentication if the Server Admin has selected "FileMaker and external server accounts." However, this also depends on what accounts the clients are entering when they log into the hosted file. If the FileMaker Pro clients are using FileMaker accounts or OS X accounts defined on the Server machine, Open Directory would never be checked in those cases.
From your description, it sounds like the interface used by FileMaker Server to do authentication of FileMaker Pro clients may be different than those done for web clients by the Apache web server (used by FileMaker Server), so FileMaker Pro client authentication won't show up as Kerberos ticket requests. I have a sent a request to Development and Testing for more specific information and verification.
I found some additional detailed information on Open Directory in the Apple Developer Library website: