3 Replies Latest reply on Apr 25, 2012 12:09 PM by CDPub

    Authentication Order Mac v. PC

    CDPub

      I've spent the past few hours scouring Google and the forums, and several hours before that testing various set-ups, all to no avail. I have a new user starting tomorrow(!) and am hoping to be at least a little closer to a solution by the time she starts trying to log in.

       

      Since our implementation of external user authorization, we've set up local FM accounts for individual users who need more access than other members of their Active Directory accounts. I didn't realize until last week that they've all been Mac users. When our first "special" PC user started last week, we started running into trouble.

       

      What appears to be happening is that accounts authenticate differently on a Mac vs. a PC. On the Mac, as expected, the accounts authenticate in the order listed in the "Manage Security" box. On the PC, however, the FileMaker account only authenticates first when its privileges are more restricted than the AD account. If the local account has Full Access and the AD account has read-only, the AD account will be the one used to sign in.

       

      Example: account NEmp is set up to authenticate through the file with access to create and edit. NEmp is a member of the AD group called "employees" that has read-only access. On the Mac, NEmp authenticates through her local account and can create and edit. On the PC, NEmp can only read. However, if NEmp uses a one-step script to relogin (relogin, no options), she gets her edit access. As though FileMaker authenticates differently (on the PC) when actually opening a file vs. only "relogging in."


      This has been consistent as I mix and match privileges. I have set the privileges and signed in on the PC and then the Mac and had different access on the two computers.

       

      In my searching, I haven't been able to find any documentation confirming this finding, or hints as to what I might be doing wrong. Can anyone confirm what I'm seeing? Can anyone tell me what I'm doing wrong? Suggest a solid work-around other than having her relogin every single time, while not affecting the processes of standard PC users or all Mac users?

       

      Thanks in advance!


      Heather
      CDPub

        • 1. Re: Authentication Order Mac v. PC
          wimdecorte

          Difficult to get my head around... but fundamentally mixing and matching AD accounts and local accounts can be very weird.  We mentioned some of this in the EA white paper that Steven Blackwell and myself wrote years ago.

           

          The best solution is to not use local accounts and create new AD groups for those users that require more access and put them in those new groups.  Then list those AD groups higher in the authentication order than the other AD groups they belong to.

           

          Alternatively, don't use AD groups and create only local groups on the FMS machine.  You can still add AD accounts to those local groups.  Then in your FM solution only set up accounts that match the local groups with absolutely no match to an existing AD group.

          • 2. Re: Authentication Order Mac v. PC
            iamsloper

            I agree with Wim,  I'd ditch the local users and have more groups.

             

            One thing i'll add is that i recently ran in to trouble when i had users on mix-matched Filemaker versions. The server was on 11 and some clients were still on 10. I couldn't get these users to get the correct OD groups until i upgraded them to FM 11.

            1 of 1 people found this helpful
            • 3. Re: Authentication Order Mac v. PC
              CDPub

              Ah, thanks so much!

               

              The local groups option actually worked perfectly for what I was trying to achieve (namely, not having to get our sys admin involved)!  The real test will come as our new user starts getting into the system, but it's passed all my tests so far.

               

              I had actually read (ok, skimmed) your white paper, but I think my limited server knowledge prevented it from really clicking until I read your post.

               

              Thanks again!