Jump to content

Active Directory Question


This topic is 4860 days old. Please don't post here. Open a new topic instead.

Recommended Posts

I have FMPro advanced server setup on a windows 2003 member server. The domain controller is a separate box then the FMPro server. I have uploaded a database and created a group called FMPRO9 as an external authenication group with read only rights to the test database. I have configured the server and ran the AD test which comes back as successful. I then added my AD account and another users account to the FMPRO security group on the windows domain. I tested accessing the database before and after adding the users to the group. Since I setup the security to hide the databases when you do not have access I could not see them prior to adding myself to the group. After adding my account to the group I got right into the database but had full rights to it. Any idea why it's not restricting my user as read only? On the server's admin page it is a little confusing where you configure the system for external authentication. The item in question is the directory entry point. My server is located as follows:

server name: server1

domain name: domain.local

container where the server resides: computers

Given that information what would be the directory entry point for my server? I think this is what might be causing my issues.

Thanks

Link to comment
Share on other sites

Yep, I see where that was set. Now the file asks for a username and password almost as if external authentication is not enable. My fear is that I do not have the Directory entry point set properly. What exactly does this item need to point to? Should it direct the server to where the user groups are in active directory? If so what is the format of this field?

My domain is: domain.local

The groups are in the default users container directly below the domain.local container and my server name is Moodle. Given that infor what should I put in the directory entry field?

TIA!

Link to comment
Share on other sites

jlazore,

You are using the term "directory entry field". I am running essentially the same setup as you but I am not familiar with that term.

It is my experience that it doesn't matter what organizational unit (aka folder) the Filemaker security groups reside in they work properly where ever.

What you may want to do is make a Windows account for a ficticious person that you can use for testing purposes. That way you can retain full access rights for yourself and will be able to log in as this other person for testing.

I created my AD groups and named like something like this:

FM-Administrator

FM-TypicalUser

FM-HumanResources

FM-AreaManager

FM-Guest

Then you have to create externally authenticated accounts named exactly the same within Filemaker Pro. You *must* set the authentication order of the groups because your people *may* be a member of more than one group and FM needs to know which account to use. For instance, if your phoney AD user was a member of both the FM-Administrator and the FM-Guest groups, he would be granted FM-Guest rights if FM-Guest appears higher in the authentication order than than FM-Administrator.

Hope this helps. If not write back and explain what you mean by directory entry field.

Link to comment
Share on other sites

the directory entry field is on the server. Where you configure you external authentication. The example that is given isn't very explanatory. I just want to make sure I am putting the correct context in that field. When I remove my user account from the AD Group I am not able to see the file which means it is communicating with the AD Tree properly. The problem still exists where I have given the group read only rights on the FMPro side but I can still change records on the test file. I have also done what you are suggesting and taken an ordinary user and added her to the group - same results full access.

Link to comment
Share on other sites

I'm still scratching my head over the "directory entry field" that you say is on the server. Could you possibly take a screenshot of that field? It would help quite a bit.

Link to comment
Share on other sites

User's Account gos into AD. It is then made a member of one or more Goups in AD. FileMaker Pro file must have a Group [color:red]that exactly matches the name of the AD Group. The FIleMaker Group is tied to a Privilege Set.

When the user authenticates, the matching Goups form the basis for the privileges for the AD Account.

It does not sound as if you have your system set up as I have described.

Please take a look at the Server External Authentication Tech Brief from the FMI Web Site.

Steven

Link to comment
Share on other sites

Also, as Mr. Blackwell suggested, make absolutely certain that you have the auto login feature turned off.

On FM Pro, not FM Server:

File > File Options

Make sure the box labeled "log in using" is unchecked.

Link to comment
Share on other sites

That is exactly how I have it configured. See the attached jpeg for a screenshot of the server screen I have been talking about. I did turn off the autologon feature on the file. The user group is defined as FMPRO9 on the AD Server and the Filemaker pro database. I have added my user account to the group on the AD side. Right now it is prompting me for a user name and password when I try to open the fmpro test database.

Link to comment
Share on other sites

Ah... That section of the setup has nothing to do with security. It is for essentially "advertising" your server to others via LDAP. I do not use that on my setup nor have I configured anything.

Here is where you go to setup external authentication. See the attachment.

img-047.png

Link to comment
Share on other sites

  • 2 years later...

Hi guys,

OK, I have read through most of the dox and this post and still have an issue.

My File Maker Admin group works fine, but I created another group for Read Only (we are in the process of lockdown) and it will not work at all. I am unable to login to the DB I was working on.

Account is FileMaker Read-Only and exact same name is the AD OU, in the same AD branch as the FileMaker Administrators, it is the first Account/Privilege set in the authentication order.

I get a login prompt when trying to access the DB and this error in the event log:

Client "Company Name (Computer Name) [iP]" authentication failed on database "dev CRM.fp7" using "domainfmtest [fmapp]".

Any ideas?

Link to comment
Share on other sites

Hi

Thanks for the reply.

No luck I'm afraid. I move the test user to the Admin group and it worked immediately.

My Privilege Set have Data Access and Design set to View only and scripts to executable only. I attached a screenshot of that. IS there an error there?

fmprivset.PNG

Link to comment
Share on other sites

My initial reaction is that you have no extended privileges set. At least one must be checked for anything to connect.

Select "Access via Filemaker Network". That allows Filemaker workstations to connect to each other and to the Filemaker server.

Let me know how you come out.

Link to comment
Share on other sites

  • 4 weeks later...

Hi guys,

Ok - thanks once again for all your help. The groups are working fine.

My only issue is that copy and paste from from text text field and to another is not working. I have attached a screen shot og the privilege set.

Cheers

Ivor

fm_de.JPG

Link to comment
Share on other sites

Ivor,

First off, you might want to rethink having your scripts being modifiable by your Data Entry security group. Intuitively, it would seem that Executable Only would be a better choice.

As far as cut-and-paste goes, the AVAILABLE MENU COMMANDS *may* affect that but you have set it to ALL so I doubt that is the cause unless your data entry people aren't actually entering your file via that group.

To check, hook a custom dialog box directly to a button and have it display the privilege set. Press the button when you're logged in as a data entry person and you might be surprised at what you find.

Link to comment
Share on other sites

Thanks Ted,

I changed the script to Exec Only. My autentication order is ReadOnly>DataEntry>Admin>FMAdmin.

At this point no one is the the ReadOnly group. We are 'weening' users off All Access.

I may be a bit out of my depth on your last recommendation. I am very new to FM.

I have a dev DB so I'll see if I can 'break' that.

I went to Manage>Layout>Edit>Script Triggers, checked 'OnRecordLoad'. I created a new script call CustDiag and ....

That is where I get lost...

Thanks again for your time...

Link to comment
Share on other sites

Ivor,

I'm thinking you probably should reverse your authentication order. Go from most open to least open.

You are using external authentication right?

I assume you have or will be to creating a Windows group for each role and then assigning your people to one or more of these groups. For example lets say that Jane Doe is assigned to both a data entry and a view only group. As your authentication order is now, she would have view only access because that group is higher in the authentication order. However, she probably should have data entry rights because you put her in that group.

As far as the custom dialog goes, you're making it too hard. I'd not even bother with a script. I'd simply create a button that is bound to the custom dialog and have the dialog box return the privilege set. Now be aware that there are two different GET functions that return privilege set results. One returns the login privilege set and the other returns the current privilege set. The different is subtle but important. See FM help for the details.

Link to comment
Share on other sites

Ted,

Once again thanks. yes, U se External Server and have OIU's within AD. I did reverse the auth order, but it made no change. I also double schedked that the user was only in one Filemaker OU. I confirmed the if you have edit and Export privileges you should be able to copy and paste data, but no getting any joy.

I have no experience with Filemaker design so I will attempt the button you described, but it will take some time.

For now I 'cheated' and moved one user into the Filemaker Admin group and she can continue.

Give me a few days and I'll be back! :

Link to comment
Share on other sites

Network sharing is a big no-no with Filemaker. Clients should only connect via Filemaker's sharing method (Open Remote).

You open yourself up to data and or schema corruption if the database is opened via standard network sharing. I don't think this is the cause of your copy and paste issue but to prevent future trouble you should end network sharing.

Link to comment
Share on other sites

Ditto for Ted's words.

Regarding the external authentication: check that the server box does not have accounts on it with the same name as those of the users. External authentication has an order of preference:

the file's internal accounts

accounts on the host computer

users and groups in the AD/OD

... so check all three places for accounts with the same name.

Link to comment
Share on other sites

Thanks for the feedback guys,

Share removed

No domain users on the local machine or local admins, etc

I have 3 AD OUs:

FileMaker Read-Only

FileMaker DataEntry

FileMaker Administrators

I also have a legacy group:

FileMaker Users

But this is definitely not on any of the DBs

I have reversed my auth order from least to most to have highest privilege first.

I am sure it is something small....but I keep missing (That's what she said!! :

I have not figured out the button yet, but the symptom is still:

Can copy from DB1, but cannot paste into DB2

Link to comment
Share on other sites

Hi guys,

OK, i found the issue - critically, the users had not told me there was a 3rd DB in the chain. And my error was that the buttons setting was on that DB was minimal - and for some reason paste would not work.

It works now. Thanks again.

@Ted: That video was awesome! Better than VTC - thanks so much!

@Vaughan: DUH! - School boy error - I'll remember to test that way.

Link to comment
Share on other sites

Hi Ted,

I put your button recommendation on and my Data Entry group get a '?'!

I did create my own Privilege set so I can edit the priv set.

Another random question I have is what is the time relation between changes on FM Server to client pushes and sync's with AD?

Link to comment
Share on other sites

FMS does not sync with the AD at all. When a client connects and you're using external authentication, FMS will query the AD right there and then.

If you change a user's group assignment in AD then the user will need to log out of the FM solution and log back in before he gets his new privileges.

You can only run into AD sync issues if you're using multiple replicated AD boxes and FMS happens to query a replica that is not sync'ed to the primary domain controller.

Link to comment
Share on other sites

  • 3 weeks later...

I have the following setup:

Domain Controller Machine (Win2008 Server)

domain is named "company.com"

it has a security group named "group"

and.. an account named "user" is in that group.

I am setting up FileMaker Server Advanced on another Windows 2008 Server that is jointed to the company.com domain.

Is that *all* I need to do in terms of connecting the FMS box to the Domain controller box.

Can I proceed from here with setting up the configuration for external authentication in FileMaker Server Admin Console AND in the FileMaker databases.. or is there something else I need to do between those two machines to get external authentication to work.

On the Mac side of the world, I know I had to "bind" the Mac FMServer to AD.. is "binding" the PC equivalent of "join"ing the domain :?

For some reason FMSA is joined to the domain but won't let me authenticate against AD.

Link to comment
Share on other sites

This topic is 4860 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.