7 Replies Latest reply on Nov 21, 2014 8:57 AM by justinc

    FMSA PHP/CWP authentication issues

    justinc

      Hey all,

      I am having some issues with a solution that has a CWP/PHP component. The authentication is rather buggy, and we seem to get lots of 'authentication failed' issues in the middle of a user's login. That is, they log in, they get the home page (loading various information) they click around, then one of their clicks gets an error. They reload the page and it works fine; click - fine, click - fine, click - error, click - fine, etc. Rather random. (We are using PHP Sessions to hold their UN/PW so they aren't entering it every time.)

       

      So, for this post I am looking for information about how FMSA authentication might be working.

       

      Windows 2008 R2

      FMSA 12.05

      Single machine

      IIS 7.5

      Default PHP

      External authentication / Active Directory

      (2 plugins: Zulu and Supercontainer)

       

      I wrote up a test PHP file that would just run a Find operation on a loop (10x). This is a new DB file; there're only 3 accounts on the file: two local, one External/AD group. A single table with 2 fields, total of 8 records.

       

      I have tested a couple of different orders of setting up the FM object in the PHP and running the "fm->execute()" steps, but they all seem to behave the same. This file will execute a find 10 times, using different credentials, and report back the time it took each operation, and the error message if there was one.

       

      So here is the PHP that I have now:

       

      <?php
       require_once ('FileMaker.php'); 
      ?>
      
      <!DOCTYPE html>
      <html>
      <body>
      
      <?php
      
      $layoutName = "TesterLayout";
      
      $CurrLogin = 0;
      $maxLogins = 2;
      $LoginCreds = array ( 
       array ("AD User","goodPW","AD"),
       array ("Test User","validPW","local")
       );
      
      $i = 1;
      $max = 10;
      
      while ($i <= $max ) {
       $overallStart = microtime(TRUE);
       echo ( "
      <hr><div>Result " . $i . " at - " . microtime() );
       
       // create the FileMaker Object
       $fm = new FileMaker();
       $fm->setProperty('database', 'Tester');
       $fm->setProperty('username', $LoginCreds[0][0] );
       $fm->setProperty('password', $LoginCreds[0][1] );
      
       //Bit more complex Find command with 1 criteria, rather than a simple 'FindAny' command
       $findRequest1 = $fm->newFindCommand($layoutName);
       $findRequest1->addFindCriterion('TestField2', 'abc');
      
       $startTime = microtime(TRUE);
       $result = $findRequest1->execute(); 
       $endTime = microtime(TRUE);
      
       if (FileMaker::isError($result)) {
       echo ( "<br>(AD): " . round ( ($endTime - $startTime), 4) . " : " . $result->getMessage() ) ;
       } else { 
       echo ( "<br>(AD): " . round ( ($endTime - $startTime), 4) . " : OK. Found count: " . $result->getFoundSetCount() . " ... " . $result->GetFirstRecord()->GetField('TestField1') );
       }
       
       
       /* 2nd Login credentials */
       $fm = new FileMaker();
       $fm->setProperty('database', 'LoginTester');
       $fm->setProperty('username', $LoginCreds[1][0] );
       $fm->setProperty('password', $LoginCreds[1][1] );
       
       //Bit more complex Find command with 1 criteria
       $findRequest1 = $fm->newFindCommand($layoutName);
       $findRequest1->addFindCriterion('TestField2', '123');
      
       $startTime = microtime(TRUE);
       $result = $findRequest1->execute(); 
       $endTime = microtime(TRUE);
      
       if (FileMaker::isError($result)) {
       echo ( "<br>(local): " . round ( ($endTime - $startTime), 4) . " : " . $result->getMessage() . "<br>" ) ;
       } else { 
       echo ( "<br>(local): " . round ( ($endTime - $startTime), 4) . " : OK. Found count: " . $result->getFoundSetCount() . " ... " . $result->GetFirstRecord()->GetField('TestField1') );
       }
       
       $i++; 
      } // end Testing WHILE
      
      $overallEnd = microtime(TRUE);
      echo "
      <br><h3>Total Elapsed time = " . round( ($overallEnd - $overallStart) , 4 ) . "</h3>";
      
      
      ?> 
      </body>
      </html>
       
      

       

      This all seems to work well, and unfortunately doesn't really show the authentication errors that we are seeing in the live solution file. (I have gotten a few, but they are far between.) HOWEVER, it does reveal a question that I would like some insight on:

       

      If I purposely provide the wrong PW for the LOCAL account, the first 2 runs of the loop will each take 10 seconds to fail, while the remaining 8 will only take .5 seconds each to fail. What is happening that the first two take so long but the rest are fast?

       

      And why does the OS Security log only show a single Active Directory request? I thought PHP was stateless, that it would have to log in each time. Why does the FM Server Admin Console show these accounts still connected, up to a minute or two later? Is FileMaker actually reusing the same login information for multiple requests?

       

       

      Thanks,

      Justin

        • 1. Re: FMSA PHP/CWP authentication issues
          mikebeargie

          Is there a reason you're setting your login to take place inside of the while loop?

           

          Would make a lot more sense to me if you opened the FM session outside the loop, and close it after the loop is done.

           

          Is it possible that you're doing something like DDoS'ing your filemaker server? What do your server event logs say in terms of number of CWP users hitting it?

           

          There are two sessions involved in CWP, the browser session that you set on the web server using $_SESSION, and the filemaker session connection on the server. The filemaker session stays open until the timeout set by filemaker is reached. So each time you pass "new FileMaker();", you're starting a new filemaker session.

           

          If you reach the hard limit of filemaker sessions that are allowed (set under the server admin console), CWP will start to return login errors until enough filemaker sessions timeout to allow connections. This I think explains the behavior you see. I would treat each user as a single filemaker session, not each call from a user, that should clear up any issues. Remember each action into filemaker resets the filemaker session timeout.

          • 2. Re: FMSA PHP/CWP authentication issues
            justinc

            Yes, there's a reason:  this script is designed to test the login process.  I WANT to hit the login as much as I can, because that is where we are seeing failures.  I was trying to create a simple standalone test environment to see if I could get the error to reproduce.

             

            I wouldn't THINK that it is a DDoS type condition...FileMaker logs indicate (when logins fail anyway) that it has denied the login.  We often don't see that it actually seems to have checked the login against AD, though; the OS Event Viewer - Security log doesn't show 10 login attempts.

             

            Errr...how do you close a PHP $_Session? 

             

            Our CWP limit is 75 currently.  The system lists a peak of 50 users, but not sure what caused that to happen.  Usually I see 3-6 users logged in.  And these 'authentication failed' errors are cropping up when there are only those 3-6 users logged in.  (Or, as in the case of my test environment, which is on a backup server, only 1-2 users.)

             

            Is the timeout for CWP users adjustable?  I know there is one for Client and for IWP, but don't recall seeing one for CWP.

            • 3. Re: FMSA PHP/CWP authentication issues
              mikebeargie

              PHP $_SESSION can be ended with "session_destroy();", and if you're worried about data, you can also preface that command with "$_SESSION = array();" to clear out the data before you destroy the session.

               

              It sounds like there is still confusion to what counts against your filemaker connections based on your code. Can you get some screenshots together? Are you getting any error codes (eg. 956) returned?

              • 4. Re: FMSA PHP/CWP authentication issues
                user19752

                If I purposely provide the wrong PW for the LOCAL account, the first 2 runs of the loop will each take 10 seconds to fail, while the remaining 8 will only take .5 seconds each to fail.  What is happening that the first two take so long but the rest are fast? 

                 

                And why does the OS Security log only show a single Active Directory request?  I thought PHP was stateless, that it would have to log in each time.  Why does the FM Server Admin Console show these accounts still connected, up to a minute or two  later?  Is FileMaker actually reusing the same login information for multiple requests?

                There is no way to say the account is local or AD, so if failed to auth on local, FMS will try AD.

                (I forgot which is first)

                I don't have AD testing machine, so tried on local windows account. It takes long(1.7sec) only 1st run (others takes 0.7sec).

                 

                See page 8 on here,

                https://fmhelp.filemaker.com/docs/13/en/fms13_cwp_php.pdf

                When WPE connect to DatabaseServer, it doesn't disconnect until some time out (seems 3 minutes ) for future reuse.

                • 5. Re: FMSA PHP/CWP authentication issues
                  justinc

                  Thanks for the hints on the $_Session thing, especially the clearing of the variable.

                   

                  What would you like to see screenshots of?  My counts are based on what the server admin console reports in 'Clients' list, or from the 'Statistics -> Server' table view (showing current, average, low, peak).  Here's our test server:

                  Screen Shot 2014-11-21 at 8.05.32 .png

                   

                  No, we aren't getting any other errors that I can see.  The FMserver logs only show the 22 - authentication failed error.

                  • 6. Re: FMSA PHP/CWP authentication issues
                    justinc

                    There's no way to determine AHEAD of time if it is local or AD.  As I understand the process, FileMaker gets a set of login credentials (either from the pop-up login form if you are using client, or from the web server in some manner) and starts at the top of its list of Accounts as defined in the 'Manage -> Security' window.  This list is sorted by authentication order (which you can be changed).  FM starts at the top of that list:

                         A) if the account on its list is authenticated locally, it compares the 'username' of the credentials that it received to the 'name' of that account list.  If there is no match, it goes to the next account on the list.

                         B) if that account on its list is authenticated externally, it sends those credentials to AD (on Windows) or checks the local system accounts (OS X)

                              i) if there is no match to AD (Windows) then it checks local system accounts

                              ii) if there is no match to local system accounts (OS X) then it checks AD/OD

                         C)  AD or the local system, if it finds the account name and PW are correct, respond with a list of groups that the account name belongs to.

                         D)  FMS then compares the account-group name that it is currently looking for to that list of groups

                              i) if the FM account/group name is found in the list, the person is authenticated

                              ii) if the FM account/group name is NOT found in the list of groups returned by AD, then FMS moves on to the next account name in it's list and starts over at step A

                     

                    (Side note:  FMserver does not hit AD repeatedly for the same login attempt as it finds additional externally authenticated accounts in its list; it must cache the first response from AD and then compare later account names to that initial response.  Which makes a lot of sense.)

                     

                    That's my understanding of the sequence.  So, on Windows it checks AD first and then local system accounts (if the account is externally authenticated). 

                     

                    FileMaker put out a Knowledge Base article about slow authentication responses.  Their solution was to put all local accounts at the top of the authentication order.  Semi-effective, as anyone with AD accounts still gets hit with delays.

                     

                    Yeah, we have noticed the slow-disconnect of clients from the server admin console display.  But it seems that, even though they exist there, that at times it still decideds it has to authenticate them again.  That's part of what I am trying to understand; when exactly does it decide it needs to authenticate again.

                     

                    -- J

                    • 7. Re: FMSA PHP/CWP authentication issues
                      justinc

                      Hey Mike,

                           Maybe I am misunderstanding what you are trying to say, but I'm not sure that it makes sense that FileMaker authenticates a user as soon as you use "new FileMaker()".  You can use that statement without even providing a server, DB, or user credentials, so how would it authenticate?  I haven't looked into the source code but this also seems like a regular constructor for the class-object, which typcially wouldn't try to interact with outside systems, but rather just set up the memory space for a new object.

                       

                      I would think that the rubber meets the road at the "execute()" steps.