FMS11: Authentication on open directory (Snow leopard) issues

[AnFrusch@pepp]

Hello all,

I'm triying to login in a filemaker server using Open directory in Snow leopard server so I created 2 users:

first.user member of Domain admins, Domain users, fmsadmin

second.user member of Domain users and fmsusers (a group that I created in the directory).

fmsadmin has full access to the file, fmsusers has restricted access (data entry only).

I want to say that both users are recognized by the domain controller (both users can authenticate in a Windows Vista business machine, load their roaming profiles and privileges properly).

only first.user can open filemaker files (even if I change the group membership to fmsusers).

At this point I don't know how to set up the file security setting to fit my needs or the directory user settings in Domain controller admin pane: I tried to use group names, group short names (i.e. Domain users AND domainusers) and the users short names are equal to their complete name (first.user's short name is first.user).

Any help? Any known bug?

FMServer v2 on Win 2008 server. Client FM pro advanced v2 on windows Vista machine.

[AnFrusch@pepp]

please, up..

[Steven H. Blackwell]

I'm triying to login in a filemaker server using Open directory in Snow leopard server

FMServer v2 on Win 2008 server. Client FM pro advanced v2 on windows Vista machine.

OK, this is confusing. Which is it, Mac OS or Windows OS?

The FileMaker Server machine must be a member of the domain where the accounts reside. If the combination is anything other than Windows Server and Windows FMP client, while you can use external accounts to authenticate, there will be no Single Sign On.

Have you looked at the White Paper on External Server Authentication?

Steven

[AnFrusch@pepp]

Hello,

first of all I would like to thank you for reply.

I have never talk about SSO,I guess SSO isn't available working with Open directory on SnowLeopard server (I think it's a Kerberos 'issue', but I really don't need SSO at all).

My server/client set up is the following:

Mac OS X 10.6 (SnowLeopard) server on a Mac mini, this server is the master and primary domain controller and I need to use it to authenticate users on client machines AND in filemaker shared files.

Filemaker server (FMS11) resides in a Win 2008 server machine (which is not part of the domain and maybe this could be a problem but I don't think so).

Client machine are Win Vista business edition SP2 and I can access them and join them in OD domain but only 1 user (I created 2 users) is recognized and can access filemaker server (no matter the group membership - fmsadmin, domainusers OR fmsusers).

Hope this could help to understand my problem..

I've contacted FM support forum and they told me that this could be related to SnowLeopard directory working with FMS11, it seems that other users reported the same situation during filemaker developers conference..

[Steven H. Blackwell]

Filemaker server (FMS11) resides in a Win 2008 server machine (which is not part of the domain and maybe this could be a problem but I don't think so).

Well, contrary to your belief here, FileMaker Server[color:red] cannot authenticate domain controller accounts if it (FMS) is not a member of the domain. However, you can use local security Groups and Accounts on the FMS machine instead of domain Accounts.

All that said, even if it were a member of the OD domain, the FMS machine might still have problems. Having the domain controller on one OS and FMS on the opposite platform has always been a challenge.

You might want to take a look at the External Server Authentication White Paper.

Steven

[Wim Decorte]

To reinforce what Steven is saying: your W2K8 machine MUST be a member of the OD domain before you can authenticate with OD accounts. Otherwise the FMS machine has no way of knowing who to contact for authentication and it will simply look in the list of its own local accounts.