3 Replies Latest reply on Jun 6, 2012 1:29 PM by wimdecorte

    Trouble with External Authentication and Active Directory

    EvanGoldstein

      Hello,

       

      I am trying to test external authentication to Active Directory and am having problems.


      Using a Mac OSX 10.5.8 FMSA box, running version 11.0.4.404, that is bound to Active Directory.

      I have groups set up in the Filemaker files that match the Primary Group in Active Directory.

       

      My current production environment has a similiar setup but uses FMSA v 10, and is bound to Open Directory, which works fine.

       

      Is the "Primary Group" the correct place to enter the Group name that corresponds with the Group in Filemaker?

      In Open Directory, I use the "Name" field which automatically populates the "Short Name" field, which then matches the group in Filemaker.

       

      Thanks,

      Evan

       


        • 1. Re: Trouble with External Authentication and Active Directory
          wimdecorte

          Primary group doesn't matter.  AD will send back info on ALL groups that the user belongs to.  FMS will check those groups against the groups set up in the FM file and will stop at the first one when you look at the list in "authentication order".

           

          If your user belongs to at least one of the groups he should get in.  Maybe not with the privilege set that you wanted but that's an authentication order issue, not an AD authentication issue.  If your user does not get in then it is an authentication error.  Either the FMS machine is not bound to the AD correctly, or there are conflicting accounts on the FMS machine itself or the groups in the FM file do not match the group names in AD.

           

          Wim

          • 2. Re: Trouble with External Authentication and Active Directory
            EvanGoldstein

            Thanks Wim, it turned out to be timing issue. We were making changes to AD, and the domain controller replica that the FM server must be using did not read the changes for a while.

             

            Knowing that primary group does not matter is helpful. Is there any way to control the order that AD sends the groups to FM? Or is it always alpha? So for example if a user is in the "Finance" and "Legal" groups in AD, and they are trying to connect to a FM file that also has "Finance" and "Legal", if "Legal" is ahead of "Finance" in the authentication order, will they get the "Legal" priviledge set? Or wil they get "Finance" because that is  provided first by AD?

             

             

             

            Evan

            • 3. Re: Trouble with External Authentication and Active Directory
              wimdecorte

              EvanGoldstein wrote:

              Is there any way to control the order that AD sends the groups to FM? Or is it always alpha? So for example if a user is in the "Finance" and "Legal" groups in AD, and they are trying to connect to a FM file that also has "Finance" and "Legal", if "Legal" is ahead of "Finance" in the authentication order, will they get the "Legal" priviledge set? Or wil they get "Finance" because that is  provided first by AD?

               

               

              They will get the first one in the authentication order you set up in FM.  In your case if the user belongs to both Legal and Finance, they will always get Legal.