9 Replies Latest reply on Nov 14, 2014 9:42 AM by BowdenData

    Mac Client using SSO with AD

    kmtenor

      Hello.

       

      We have several solutions in our environment that make use of SSO on Windows using Active Directory. These solutions work great, and learning to work with AD for Filemaker security has been a huge win for us.

       

      We are integrating some Mac clients into our mix, and are very interested in leveraging the SSO capabilities of Active Directory for them. Apple's own "Best Practices for Integrating OS X with Active Directory" (which I followed to attach the Mac to the domain) states that one of the benefits of joining the Mac to the domain is that the joined Mac clients will "Benefit from single sign-on access to Active Directory resources through Kerberos" - but it doesn't seem to work with Filemaker (13 Advanced/13 Server - more environmental data below).

       

      Before I spend too much time tinkering, does anyone know how to make this work, or if it is even possible? I get the feeling I'm just missing one setting somewhere to make it work.

       

      Thanks very much.

       

      -Kevin

       

      Mac Client: MBP 15" Retina/Filemaker 13 Advanced

      Regular Clients: Windows 7 Professional/Filemaker 13 Advanced

      Server: Windows Server 2008 R2/ Filemaker 13 Server

      Active Directory: 2003 Functional Level, with 2008 servers

        • 1. Re: Mac Client using SSO with AD
          taylorsharpe

          Hmmmm, I've always dealt with FM not having single server signon for Mac's and the solution was storing passwords in the keychain.  I've never seen FM work as single server sign on for a Mac, but I would be interested.  Good question if there really is an option to do that.  But probably the nicest thing about storing passwords in the key chain is that your operating system user account does not have to match the user account on FileMaker security.  Then again, in a real enterprise network, everything would be using the same directory service to sign onto their computers as well as get into databases, file share, email, etc. 

          • 2. Re: Mac Client using SSO with AD
            kmtenor

            The major reason why we like to stick with SSO through AD is that, when the user changes their password (every six months, per company policy), there is no need to update the password that is saved for use with FileMaker.  There are already so many places they have to change saved passwords, it's important to us to keep the amount of confusion to a minimum.

             

            -Kevin

            • 3. Re: Mac Client using SSO with AD
              taylorsharpe

              Oh I fully agree with that reasoning.  It makes AD the one source password location which is ideal for an enterprise system.  The biggest problem I have on Mac's is the inability in FileMaker to turn off the ability to store passwords in the keychain. 

               

              Maybe someone will chime in on the SSO functionality on a Mac.  It sure would be convenient and I would like to know more if it is available. 

              • 4. Re: Mac Client using SSO with AD
                wimdecorte

                kmtenor wrote:

                 

                 

                Before I spend too much time tinkering, does anyone know how to make this work, or if it is even possible? 

                 

                It is not possible in any version of FM.

                 

                SSO currently only works in an all-windows line-up.

                • 5. Re: Mac Client using SSO with AD
                  kmtenor

                  ...and the list of things that frustrate me about FileMaker grows by one.  If the OS supports it, I wonder why the application doesn't.  Not high on their list of priorities, I'm sure.

                   

                  Thanks for the quick answer, Wim.  I guess it's keychain for us for now!

                   

                  -Kevin

                  • 6. Re: Mac Client using SSO with AD
                    wimdecorte

                    I think most of the blame is on Apple for this one though.  Apple has had very troubled support for AD binding over the years and tends to break things more often than not.

                    Check MacWindows.com for some good reading on this

                    • 7. Re: Mac Client using SSO with AD
                      Mike Duncan

                      I'm not sure it should be a priority, but I agree it would be useful for certain specific use cases. Increasingly, IT departments are having to support non windows devices brought in by users anyway. AD is not supported on FM Go either, but that isn't FMI's fault.

                       

                      For me, I enjoy the flexibility of choosing that to keep in my keychain and have not found it overly burdensome. I doubt I am the typical user though.

                      • 8. Re: Mac Client using SSO with AD
                        kmtenor

                        iOS itself doesn't support Active Directory - so I wouldn't expect Go to support it, either.  It's unclear right now why we would ever bind an iOS device to a Directory service - the go-to solution for mobile management seems to be MDM, and directory services like AD are just used for authentication.

                         

                        To Wim's point, AD integration in OSX is extremely touchy - I still view joining a Mac to AD as an experiment rather than a given, and am amazed when it works without having to drop into the command line.  It's not really all that clear what benefits we get from binding a Mac to AD, either, since we don't use Home Folders the way OSX expects us to, and GPOs (one of many reaons for binding a PC) don't apply to the Mac.  I'm sure the advantages of joining the domain are more subtle and help the Mac user get along better with file servers and remote desktops within the domain.

                         

                        As I think about all of this, it might be interesting if Go was able to support Keychain - especially since it sounds like Mac users are already making that work.  That could replace some of the layout and security gymnastics we go through right now to avoid having to log in all the time on Go.  If we're not going to get SSO on any Apple platforms, maybe we can get better support for the native Apple tools like Keychain to get the experience to at least be closer!

                         

                        Thanks again.

                         

                        -Kevin

                        • 9. Re: Mac Client using SSO with AD
                          BowdenData

                          Hi,

                           

                          Check out AdmitMac from Thursby software. It does not help with FileMaker on the desktop and SSO, but it addresses a lot of the other items you mention. I used to live/work in the Washington DC area a few years ago, and knew several Mac users in larger companies/government who used this (or their "Dave" product) and said it worked really well. Link below to main company page. Look for "AdmitMac" and "Dave" in their product list. Second link is brief description of how they view their products in the joining the Windows and Mac worlds in an enterprise.

                           

                          http://www.thursby.com

                           

                          http://www.thursby.com/use-cases/mac-enterprise-management-security

                           

                           

                          The other product I am aware of is ExtremeZ-IP. It takes the opposite approach in being software that runs on Win servers to provide Mac services above what is there natively.

                           

                          http://www.grouplogic.com/enterprise-file-sharing/mac-windows-file-sharing/

                           

                          Regards,

                          Doug