1 Reply Latest reply on Jun 15, 2017 10:03 AM by TSGal

    No Prompt for Password Reset with User Connections

    bigtom

      Product and version (FileMaker Pro 16.0.1)

      OS and version OS X 10.11.6

      Hardware iMac

      Description

       

      When accounts are set to require password reset on next sign-in and FMP for user connection client connects to server but does not sign-in to a file there is never a prompt to reset password. Technically not a sign-in, but having a temporary password remaining unchanged is not so safe. Temporary account names and passwords may have been emailed or possibly printed in some companies. I understand this is a case that is not likely to happen in many instances, but it is a security issue to some extent.Password remains as expired and checkbox set for required reset until user logs into a file on that server.

       

      As a possible real world example, a new FMP user may be provided with a less than secure temporary password for a user connection account on FMS16 on an office LAN to maintain FMP required connection without opening a file. That user then connects to a file on a FMS14 cloud server and works as usual. If the credentials are saved to keychain in the server connection dialog the user will likely never be prompted to reset the password ever with this work flow.

       

      How to replicate

       

      Add a new user and set password to require reset next sign-in.

       

      Start FM Pro for user connections and wait or do work on local file until the connection dialog box is presented. Enter the credentials as assigned when user was created.

      or

      Select server in launch center and sign-in with credentials as assigned when user was created to view files but not sign-into a file.

       

      Workaround (if any)

      Do not use FileMaker native user authentication. Use external authentication (AD, OD, OAuth).

        • 1. Re: No Prompt for Password Reset with User Connections
          TSGal

          bigtom:

           

          Thank you for your post.

           

          I am having difficulty fully understanding your post.

           

          Reset password is set per file; not for the server.  Without opening a file, you will not be prompted for credentials.

           

          If the previous password was saved to the keychain, for security measures, this will be ignored when trying to open the file again.  Otherwise, anybody could automatically open the file on your machine and change the password.

           

          Let me know if I am missing anything.

           

          TSGal

          FileMaker, Inc.