14 Replies Latest reply on Mar 5, 2015 10:29 AM by wimdecorte

    Port(s) used for external authentication FMS13

    TimAnderson

      I am trying to establish what ports are used for Active Directory authentication, and whether the communication is encrypted.

       

      I have looked on the Ports used by FileMaker Server 13 | FileMaker documents but it is not specified. I have a client who is concerned that it may use port 80 and be unencrypted

       

      Thanks

       

      Tim

        • 1. Re: Port(s) used for external authentication FMS13
          hrc

          No. Active Directory is not a web server that uses port 80. The whole story is a lot more complicated.

          An extensive list of ports involved in various different kinds of communication occurring in an AD environment may be found here: https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx

           

          The primary port used by your FMS13 to communicate with Active Directory is port 389. That's the default port of all LDAP services and AD is an LDAP service. You will find this setting represented on the "Directory Service" tab of the menu item "Database Server" in the FMS13 admin console.

           

          Having said that, the question of "encrypted vs. unencrypted" still remains.

           

          To the best of my knowledge, it is a rather hefty operation to establish SSL-encrypted LDAP-communication in an AD environment (includes a Windows Certification Authority (CA), etc.). I have access to a number of larger and smaller AD environments. Since none of them belong to a "high security" environment, none of them invested the time to set this up.

           

          Does this mean, that login data are transmitted unencrypted in an AD environment?

          No, of course not! The key service taking care of security is Kerberos (port 88). Kerberos has been a key component of AD since the early days of Windows Server 2000. You'll find loads of explanations on Kerberos and security on the web. Here's an article from the 2000 by Microsoft: https://msdn.microsoft.com/en-us/library/bb742516.aspx, title: "Kerberos Explained". There you'll see, that a users's login password is hashed and only the hash is then transmitted. So the security of Kerberos is crucially dependent on the irreversibility of hashing algorithms. This hashed password then initiates a cascade of ticket exchanges (TGT - ticket granting ticket, Service Tickets, etc.). These tickets, which have a limited lifetime, are what eventually gives a user access to a resource in AD.

           

          There is one huge kind of mistake you can make to eliminate all security from this concept: Store or transmit AD credentials in an unencrypted way outside AD communication.

          Examples might be an unencrypted FileMaker table containing usernames and passwords. Another example is an unencrypted web server login page (HTTP) which then contacts AD in the background to authenticate a user. These are examples of major security flaws/breaches. If you take care not to make such major mistakes, I guess the level of security provided by Kerberos and LDAP is pretty okay for many applications.

           

          I hope that helps.

          ...and as always in IT: The details of the answer depend a lot on the specific situation you are talking about.

          • 2. Re: Port(s) used for external authentication FMS13
            TimAnderson

            Wow, thanks hrc, really full answer. Really appreciate how much you hav eput in to this

             

            Tim

            • 3. Re: Port(s) used for external authentication FMS13
              ch0c0halic

              Unfortunately this is partially misinformation.

               

              FMS does not directly do any AD (or OD) authentication. It requests the OS to do the Authentication. This is why the OS must be bound to the AD (or OD) server. Port and other LDAP specific info is probably OK but not the part about FMS Admin Console setup.

               

              The LDAP account setup in the Admin Console has NOTHING to do with authentication.

               

              The LDAP setup in the Admin Console is to get a list of FMS databases available through the LDAP listing. FMS is set up to publish its list of DBs to the LDAP server and then the FMP client can use the LDAP pull down, its with the Local Hosts and Favorites to select a DB to open.

              • 4. Re: Port(s) used for external authentication FMS13
                hrc

                Hey ch0c0halic

                Unfortunately this is partially misinformation.

                I beg to differ.

                 

                FMS does not directly do any AD (or OD) authentication. It requests the OS to do the Authentication. This is why the OS must be bound to the AD (or OD) server.

                I agree with you. That's the case with ANY application that wants to access any resources in an AD environment. Actually, it's the essence of a service. AD provides (among other) authentication services. And yes, FMS accesses these services via the operating system, that's true. This is also a reason, why it is important that the FileMaker service is run as a user which has AD access.

                The LDAP account setup in the Admin Console has NOTHING to do with authentication.

                Well, yes. But, I was not talking about the specification of the LDAP account. I was talking about the settings above these.

                fms13_ad_settings.png

                 

                Just to make sure that we're talking about the same settings: I'm talking about the ones within the red rectangle.

                If you don't connect your FileMaker Server to the AD using these settings you will not be able to utilize the external authentication feature within FileMaker databases. There is no other setting to do this. Please, note that you have to enter in which OU (organizational unit) in the AD the FileMaker server is supposed to look for security groups allowed to access a FileMaker database. These security groups are what you link to privilege sets within a FileMaker database.

                The LDAP setup in the Admin Console is to get a list of FMS databases available through the LDAP listing. FMS is set up to publish its list of DBs to the LDAP server and then the FMP client can use the LDAP pull down, its with the Local Hosts and Favorites to select a DB to open.

                Hmm... Yes, you're more or less right. Yet, this feature is not always important. Basically, the list of FileMaker databases is propagated within a LAN via Apple's Bonjour protocol. But yes, if you want to publish FileMaker databases in LDAP, too, you can use the fields below the red rectangle to specify an account that has the privileges to do so. And if you do so, your databases will then be available in the "open remote file" dialog if you select "Hosts Listed by LDAP" where it says "View:". You still need to specify which LDAP directory to question, though.

                However, if you don't enter the information below the red rectangle, your databases will still be available via Bonjour.

                • 5. Re: Port(s) used for external authentication FMS13
                  BowdenData

                  Hi Hrc,

                   

                  ch0c0halic is correct. The LDAP config in the FM admin console does not effect or is needed for AD/External Authentication.

                   

                  Do a search for Active Directory and you will find several threads on this. It is also discussed in the FM server config PDF. It is an area that is often misunderstood.

                   

                  Doug

                   

                  ch0c0halic

                   

                   

                  Sent from my iPhone

                  • 6. Re: Port(s) used for external authentication FMS13
                    hrc

                    Hi BowdenData

                     

                    Yes, you're right.

                    But I guess, we're basically all misunderstanding each other to a degree.

                     

                    I have not been referring to the fields where you can specify login information to the AD in my original answer. But, obviously, you and ch0c0halic somehow understood me that way.

                     

                    I was only referring to the fields where you tell FMS where to look for information necessary for the external authentication feature. And in this context I stated that AD is an LDAP-based service. And that's certainly true, isn't it?!

                     

                    I hope, that this clarifies what I intended to say.

                    • 7. Re: Port(s) used for external authentication FMS13
                      TimAnderson

                      Thanks all for your input. One way or another we have answered the question and clarified LDAP for anyone else checking this. Can see where the misunderstanding of the original answer came in, but reading it again it is clear there was no refetene to LDAP being used for authentication. I trust that AD is an LDAP service as I know no better!

                       

                      In Summary,

                      Pro asks Server to login(port 5003), Server asked OS to authenticate with AD/OD (ports 389/88 possibly others), OS responds to Server, opens file or denies access.

                       

                      Hope others find this useful

                      • 8. Re: Port(s) used for external authentication FMS13
                        ch0c0halic

                        Correct. Let me expand a little.

                         

                        The LDAP reply is a list of groups that member is assigned to. If it does not authenticate the group list is empty.

                         

                        The OS passes this Group list to FMS.

                         

                        FMS traverses the list of Groups in the Security list in the Authentication order. The first Group that matches allows access using the Security Privileges associated with that Group.

                         

                        If none of the Groups match then access is denied.

                         

                        When setting up a new file or Person in AD (OD) typically there are three mundane reasons for failure.

                        1. Forgot to add the Group to the file

                        2. or the Person to the Group!

                        3. Group name in the file is mispelled. Capitalization is (sometimes) important to FMS! I suggest using only lower case for Group names.

                        • 9. Re: Port(s) used for external authentication FMS13
                          TimAnderson

                          Thanks ch0c0halic,

                           

                          as someone who knows essentially nothing about AD/OD that really helps me understand the process

                          • 10. Re: Port(s) used for external authentication FMS13
                            wimdecorte

                            hrc wrote:

                             

                             

                            I was only referring to the fields where you tell FMS where to look for information necessary for the external authentication feature. And in this context I stated that AD is an LDAP-based service. And that's certainly true, isn't it?!

                             

                            I hope, that this clarifies what I intended to say.

                             

                            It does not.

                             

                            When you say "the fields where you tell FMS where to look for information necessary for the external authentication feature" --> that part is incorrect.

                             

                            You do NOT need anything filled in those fields (your red rectangle) for external authentication to work.  It has nothing to do with authenticating users for access to a FM solution.

                             

                            EA will work when the FMS machine is made a member of an AD or OD domain.  There are no settings on FMS except this one below that make EA work.  On the Security tab

                             

                            2015-03-05_08-30-39.png

                             

                            The Directory Service tab is only useful on large networks where servers are not on the same subnet as the clients (so the users can not use "open remote - local servers" to have FM auto-detect servers.

                            Using the Directory Service feature you can use the directory service specified as a phonebook to find the server.

                            Find only, not authenticate against it, that is done by the OS if the selection in my screenshot is set.

                             

                            To be very clear: you can use the Directory Service feature and not use EA.   You can use EA and not use the Directory Service.  They have absolutely positively nothing to do with each other.

                            • 11. Re: Port(s) used for external authentication FMS13
                              taylorsharpe

                              For those of you with a Mac Server, you can set the FM Admin Security to allow "FileMaker and external server accounts" (see Wim's graphic).  But what if your server is not the hosting Directory service and you want to authenticate to an external server.  Go to the System Preferences and click on "Users & Groups".  Click the lock in the bottom left corner and authenticate to an Admin user.  Then click the "Login Options" button.  The bottom entry will be a choice to bind your FileMaker server to the directory service of another server such as your company's Active Directory server. Then the Group names for Active Directory authentication will be available to FileMaker security. 

                               

                               

                              join.jpg

                              • 12. Re: Port(s) used for external authentication FMS13
                                imarc

                                Based on what I'm reading in this thread and elsewhere, it sounds like if you *do* want to use the local (Mac) server for FMS external authentication and you're not running OS X Server, you can use the stock OS X Users & Groups panel to set up and populate the groups that used to be set up using Workgroup Manager (replaced by Profile Manager as of Yosemite) in OS X Server. Can anyone verify?

                                • 13. Re: Port(s) used for external authentication FMS13
                                  taylorsharpe

                                  Marc, you are correct.  You can always use your local Users and Groups on the Mac computer and it doesn't have to be a Mac Server version of the OS.

                                  • 14. Re: Port(s) used for external authentication FMS13
                                    wimdecorte

                                    Yes, same on Windows.  EA works against local groups and accounts on the machine.  If the machine happens to be a member of a domain then it may get very confusing if the same accounts exist both locally and on the domain.