Confusion About External Server Authentication

[Steven H. Blackwell]

It has come to my attention that a considerable number of questions have arisen in some other venues regarding External Server Authentication. Here are a few pieces of information that are hopefully helpful:

1. There is a Tech Brief ( not so brief at 55 pages or so) on the FMI web site that deals with the mechanics and the concepts of External Server Authentication in great detail. We recently updated it for FileMaker Server 9. I had a small hand in this; however the indefatigable and Uber-knowledgable Wim Decorte deserves principal credit for constructing and explaining the various scenarios and technical considerations.

2. People sometimes confuse External Server Authentication and SSO (Single Sign On aka Single Source Log On). There is a relationship between the two items; however they are not the same thing.

3. External Server Authentication refers to the capability of FileMaker Server to utilize the Account Name and Passwords for a large (or small) number of users and to have those credentials authenticated externally to FileMaker Pro files. These Accounts can be on the server itself or on a Domain Controller running Active Directory or Open Directory. These accounts are linked to specific Privilege Sets in one or more FileMaker Pro files by matching Groups. The principal advantage of External Server Authentication is that it allows for Identity and Access Management for multiple FileMaker Pro files in a single place, rather than having to manage IAM in each file separately for each Account. Have 40 files and 100 users and you sort of get the flavor of this.

4. SSO in this context is a Windows FileMaker Pro client to Windows FileMaker Server process whereby the credentials used to gain access to the domain can be passed seamlessly to FileMaker Server and used for access to FileMaker Pro files. Macintosh FileMaker Pro clients cannot employ SSO; they can, however, emulate the process by storing their credentials in the KeyChain.

5. External Accounts can be used to authenticate for access by Instant Web Publishing and Custom Web Publishing. IWP and CWP cannot utilize SSO however.

6. Windows clients running Windows XP Pro SP 3 will experience difficulties with SSO when Database Visibility is employed on FileMaker Server. Users will be required to enter their credentials when initially accessing the server even though they have previously been authenticated to the network. Specific files can then be accessed without further challenge.

7. Registration of a FileMaker Server with an LDAP directory has NOTHING to do with Server External Authentication.

Mr. Osborne and I cover these matters extensively in Days 4 and 5 of our official FileMaker Training Series courses found here.

Steven