7 Replies Latest reply on Mar 15, 2012 4:13 PM by BowdenData

    SSO (Single Sign On)

    FrankPottner

      My goal is to get SSO (Single Sign On) working with FMServer 11.

      The clients are logging in through Novell e-directory but IT says they have the same accounts in AD (Active Directory).

       

      Can this be made to work?

       

       

      If so, my understanding is I need to do the following; please correct me on any mistakes or missed steps since I don't really understand this stuff.

       

       

      Assumptions

      - FM file "Test.fp7" has a privilege "ViewData" with extended privilege "fmapp" enabled and is hosted on FMServer

      - AD is part of the "ABC" domain

      - user John Smith has a Windows login/pwd "JS/secret" and belongs to a group "Managers" in AD

       

       

      - in Test.fp7, "Manage Security" I need to create a new account

      - for "Account is authenticated via" I select "External Server"

      - for "Group Name" I enter "Managers" (same as group name in AD)

      - for privilege set I select "ViewData"

      - I move this new account to the top of the list of accounts so that FMS tries to automatically authenticate the user

       

      - the computer running FMServer must be part of the "ABC" domain so that it knows which AD to talk to

       

      - John Smith's computer must be part of the "ABC" domain so that he's authenticated with the same AD that FMServer will communicate with

       

      - on opening the Test.fp7 file John won't be asked for a password

      - get(AccountName) will return "JS"

      - get(AccountPrivilegeSetName) will return "ViewData"

       

       

      Are there any other settings I need to set or configure?

        • 1. Re: SSO (Single Sign On)
          ch0c0halic

          Frank may have a secret,

           

          Yes, logging in is not sufficient. The OS of the FMS commuter has to be set up to provide authentication services to the AD server.

           

          There are a lot of instruction pages for this on the internet. Heres the Microsoft one.

           

          http://technet.microsoft.com/en-us/library/cc755103(v=WS.10).aspx

          • 2. Re: SSO (Single Sign On)
            FrankPottner

            The OS of the FMS commuter has to be set up to provide authentication services to the AD server.

             

            I just want to clarify this.

             

            All the documentation I've read says that the computer that FMS is running on just needs to be part of the same domain as the domain controller that has the user accounts.

             

            I'll be meeting with their IT guy and just want to tell him what I need from their end, so in IT terms, what should I tell him needs to be done on the computer running FMS?

             

            Thanks in advance for the help.

            • 3. Re: SSO (Single Sign On)
              jdj_admin

              Frank may be having a little visitor,

              The IT person should understand what I said. This is all the IT person needs to properly set up yhe OS for FMS to use AD authentication.

               

              The OS of the FMS commuter has to be set up to provide authentication services to the AD server.

               

              There are a lot of instruction pages for this on the internet. Heres the Microsoft one.

               

              http://technet.microsoft.com/en-us/library/cc755103(v=WS.10).aspx

               

               

              You also need to set the FMS to use External Authentication.

              Using the FIleMaker Server admin Console:

              1. Click "Database Server"

              2. Click tab "Security"

              3. Under the "Client Authorization" area click the radio button  "FileMaker and external server accounts"

              • 4. Re: SSO (Single Sign On)
                FrankPottner

                I just want to clarify this for anyone else that may have issues trying to get the SSO working with an Active Directory domain controller since there are a few catches that are NOT documented.  The following needs to be done;

                 

                In the FM database;

                - create an account and select "External Server" for the "Account is authenticated via:"

                - for the "Group Name:" enter the EXACT same name as the group in Active Directory

                     NOTE: 21 character group name is TOO LONG; 12 character is OK, don't know about anything in between

                - assign that account a Privilege Set that includes the "Access via FileMaker Network (fmapp)" privilege

                - in the Accounts list move the account to the top of the authentication order

                 

                In FMS

                - login with the Admin Console

                - go to the Database Server => Security tab

                - select the "FileMaker and external server accounts" radio button

                - save the change

                 

                On the computer running FMS

                - right click on "My Computer" and select properties

                - click on the "Computer Name" tab and verify the computer is part of the correct domain

                 

                On the client computer

                - verify the computer is part of the correct domain

                - verify you are a member of the group by entering "whoami /Groups" at the DOS command prompt (doesn't work on all computers)

                     NOTE if you just added yourself as a member of the group, you need to log out and log back in for that change to take affect

                - launch FileMaker and select the file on the server while praying that it opens this time

                 

                If you get in without being asked for a login / pwd you're done;

                     - get(AccountName) will return your Windows login name

                     - get(AccountPrivilegeSetName) will return the privilege set tied to the group account you're logged in with

                 

                 

                If you get the login / pwd dialog; kick the server, restart it, same for the client, say a few more prayers and try again.

                • 5. Re: SSO (Single Sign On)
                  BowdenData

                  FrankPottner wrote:

                   

                  I just want to clarify this for anyone else that may have issues trying to get the SSO working with an Active Directory domain controller since there are a few catches that are NOT documented.  The following needs to be done;

                   

                  In the FM database;

                  - for the "Group Name:" enter the EXACT same name as the group in Active Directory

                       NOTE: 21 character group name is TOO LONG; 12 character is OK, don't know about anything in between

                   

                  - in the Accounts list move the account to the top of the authentication order

                   

                   

                   

                  Frank,

                   

                  Just wanted to clarify/comment on a couple of your points (shown above). Both of these are not correct. All the other points you make are good, solid advice. I work with multiple clients who use Active Directory with FM Server 10 and 11 and with both Windows Server 2003 and 2008. One shop is actually all Win2003 while another one is all Win2008.

                   

                  - We have AD group names that are much longer than 21 characters. Some are in the 30-32 character range. No issues at all.

                  - The name of the group in the FM dB does have to match the actual AD group name, but it is not case sensitive. Saying that the names must be EXACT would imply that. Having said this, I typically do enter them into the FM dB in the same case as the group.

                  - The external authentication group does not have to be at the top of the order. There was a document published by Steven Blackwell last year where he recommended to put local accounts above external accounts. I wish I could put my hands on the article or find a link, but can't off hand. I do recall his reasoning was sound and was based on conversations with FMI engineering staff. It was something to do with the speed of the authentication process. In any case, I can confirm that external accounts don't have to be above any local accounts. If you have multiple external accounts, they just need to be in the desired order of authentication. Typically, this will be the more privileged group at the top, followed by progressively less privileged groups.

                   

                  HTH.

                   

                  Doug de Stwolinska

                  • 6. Re: SSO (Single Sign On)
                    FrankPottner

                    Doug,

                     

                    I agree the external authentication account does not have to be at the top of the authentication order, this was just my advice for people trying to get this working.

                     

                    I didn't try putting the group name lower case in FM and upper case in AD so I'll take your word on that.

                     

                    However, the group name of 21 characters failed for me.  The IT guy was sitting there adding his user name to the group, logged off and back on, ran the "whoami /Groups" command and saw the group in the list of groups, then tried to open the FM file without success.  When we switched it to a shorter name and logged off and back on it worked.  It is theoretically possible that when he copied and pasted the 21 character group name from AD into FM something weird came across but we were both looking at it and didn't notice a problem.  I don't know if this has something to do with a specific version of AD, the fact that they're also running Novell's e-directory, or some other external factor but it didn't work.

                     

                    I believe the tech brief you're referring to is this one

                     

                    http://help.filemaker.com/app/answers/detail/a_id/6822

                     

                    Even though it's for FM8 it still applies to FM11.

                    • 7. Re: SSO (Single Sign On)
                      BowdenData

                      Hi Frank,

                       

                      Thanks for the update/clarification on the 21 character limit issue you have seen. You are right that it could definitely be due to different versions of AD and the fact that Novell is involved, could be a contributor.

                       

                      I'll file away in the memory bank your issues with the number of characters, in case I come across this in the future. The same can likely be said of the group name in FMP matching exactly (including case) the AD group name. I have heard stories where people could not get it to work unless the entries were totally exact. Just because I haven't run into it doesn't make it a falsehood!

                       

                      The more I think about Steven Blackwell's note about ordering External accounts and Internal accounts, I think it was in a thread on the FMPug talk list - not in a formal document.

                       

                      Regards,

                      Doug