External Authentication and Alt-Security-Identities

[aperch]

Hi--

I'm trying to use external authentication using Windows domain accounts containing alt security identity information. Our Windows domain accounts are name-mapped to MIT kerberos KDC accounts.

If I open a database file while logged into a Windows domain account using the Windows domain credentials, external authentication works as expected. If I log in using the name-mapped kerberos credentials, the database access fails.

In both cases, running "whoami" from the windows resource kit reports that I am the same using the same account and belonging to the same groups.

Any help would be greatly appreciated.

Thanks,

Andy

[Steven H. Blackwell]

Authentication must be done directly by Active Directory or by local security groups on the FMS box. If AD can manage the alternate system, then it should authenticate.

Steven

[aperch]

Steven--

Thanks for the quick reply. The credentials should be the same-- our domain has a trust relationship with the MIT kerberos KDC. I tried this a few years ago with Server 7, and exchanged some email with a Filemaker engineer, but it couldn't be resolved. We're currently upgrading to Server 9, so I thought I'd try it again.

Is there a way to start FileMaker Server with a higher level of debug logging?

Thanks,

Andy

[Wim Decorte]

Hi--

Our Windows domain accounts are name-mapped to MIT kerberos KDC accounts.

Not entirely sure what this looks like. If it is anything like an regular trust between ADs then it might work if you provide the full UNC or UPN credentials for the KDC realm. If you provide just the account name with the KDC password FMS will hand that off to the AD under the assumption that the credential exists as such on the AD and the authentication will fail if the pw is different. Using the full UNC or UPN syntax might get around that. I know it does for a regular AD to AD trust relationship.