External Authentication Basics

[panchristo]

Hi all.

I've been reading some white papers and tech briefs about external authentication and I have a hunch that it might be what I need.

If I am not asking too much, I would like to share with you my ideas in order to prove me wrong or right and continue towards the correct direction.

Let me say for start that I have a little local network inside which there is a server (Win Server 2003R2) running FM Server 10 Advanced, hosting some databases (in some cases "talking" to each other). There is no Open/Active Directory, Domain Server or other complicated setup. In fact, Filemaker Server is under a One-Machine deployment.

It would be nice if I don't need to implement complicated network setup (Open/Active Directory services, etc.) as my knowledge is limited and can't affor hiring someone.

For the time being, I have only been able to make my database available to computers in an intranet and the local network (I don't need sth else)

However, from what I've understood so far, External authentication is THE WAY TO GO if one needs to host multiple databases with the possibility of each one "talking" to each other, and not mess with account spaghetti.

Time for the questions (please respond to related number)

1. If I am correct, I have to create user accounts and groups in the Windows Server machine that runs Filemaker Server, correct?

2. If yes, how do users sign-in according to connection (FM Sharing, CWP, IWP)?

3. How do I allow users modify their password?

4. Is there any conflict between the number of users connected to FM Server and the limitation of up to 5 CALs imposed by my Windows Server 2003 R2 license?

5. Can a user be member of more than one group according to which database file is opened?

6. Can you clarify the setup of any of the above?

7. How can Single-Sign-On be implemented the easy way?

Your help is greatly appreciated (as always...) in advance. :

[Steven H. Blackwell]

Hi all.

I've been reading some white papers and tech briefs about external authentication and I have a hunch that it might be what I need.

If I am not asking too much, I would like to share with you my ideas in order to prove me wrong or right and continue towards the correct direction.

Let me say for start that I have a little local network inside which there is a server (Win Server 2003R2) running FM Server 10 Advanced, hosting some databases (in some cases "talking" to each other). There is no Open/Active Directory, Domain Server or other complicated setup. In fact, Filemaker Server is under a One-Machine deployment.

It would be nice if I don't need to implement complicated network setup (Open/Active Directory services, etc.) as my knowledge is limited and can't affor hiring someone.

For the time being, I have only been able to make my database available to computers in an intranet and the local network (I don't need sth else)

However, from what I've understood so far, External authentication is THE WAY TO GO if one needs to host multiple databases with the possibility of each one "talking" to each other, and not mess with account spaghetti.

Time for the questions (please respond to related number)

1. If I am correct, I have to create user accounts and groups in the Windows Server machine that runs Filemaker Server, correct?

2. If yes, how do users sign-in according to connection (FM Sharing, CWP, IWP)?

3. How do I allow users modify their password?

4. Is there any conflict between the number of users connected to FM Server and the limitation of up to 5 CALs imposed by my Windows Server 2003 R2 license?

5. Can a user be member of more than one group according to which database file is opened?

6. Can you clarify the setup of any of the above?

7. How can Single-Sign-On be implemented the easy way?

Your help is greatly appreciated (as always...) in advance. :

Lots of questions here. Please see the post on EA at the top of this Forum. As for #5 a user can be a member of more than one Group, but only one Group--the first one in the authentication order in the specific file--is governing.

SSO is different than External Server Authentication. SSO is a WIndows workstation to Windows Server under Active Directory only. Macintosh users can emulate SSO to some degree with the use of the KeyChain.

HTH

Steven

[panchristo]

Lots of questions here. Please see the post on EA at the top of this Forum. As for #5 a user can be a member of more than one Group, but only one Group--the first one in the authentication order in the specific file--is governing.

SSO is different than External Server Authentication. SSO is a WIndows workstation to Windows Server under Active Directory only. Macintosh users can emulate SSO to some degree with the use of the KeyChain.

HTH

Steven

Lots of questions indeed, despite I have already read the post you refer to. I am not a computer specialist so sometimes the case may be that I come across the information I am after but just don't see it.

Especially for Q3, how do users change their authentication info(password)? Is it still stored inside the database file? From what I've read I 'd say no, but then I don't know the answer :

[Steven H. Blackwell]

The passwords are not stored in the file whether you use external authentication or not. When using EA without a domain controller--namely local account on the FMS machine--there is no readily easy way to change passwords. It requires a special web front end program, IIRC, to do this.

I am in transit rift now, but I will try to get some more information on this soon.

You might want to look at Wim Decorte's videos on vtc.com about this. Topic.

Sent from iPad. Please excuse typos.

Steven

[panchristo]

The passwords are not stored in the file whether you use external authentication or not. When using EA without a domain controller--namely local account on the FMS machine--there is no readily easy way to change passwords. It requires a special web front end program, IIRC, to do this.

I am in transit rift now, but I will try to get some more information on this soon.

You might want to look at Wim Decorte's videos on vtc.com about this. Topic.

Sent from iPad. Please excuse typos.

Steven

Hmm. I have Wim Decorte's videos from VTC but couldn't spot a solution about this. Will be waiting for your contribution, thanks a lot.:

[Wim Decorte]

1. If I am correct, I have to create user accounts and groups in the Windows Server machine that runs Filemaker Server, correct?

Correct.

2. If yes, how do users sign-in according to connection (FM Sharing, CWP, IWP)?

When they open your files (provided you have "log in as" turned off in the FM file options) then the user will be prompted for credentials on the first file. They just type in the windows account name and pw.

If they belong to at least one EA group set up in each of the files they will not be prompted again for the subsequent files.

3. How do I allow users modify their password?

Can't be done in this setup. At least not unless you really want to learn about windows local accounts and windows scripting. It can be done more easily with a domain. But not from within FM, this has to be done outside of FM.

4. Is there any conflict between the number of users connected to FM Server and the limitation of up to 5 CALs imposed by my Windows Server 2003 R2 license?

It's a grey area. If you ask your MS rep he is likely to say yes. However it has been stated before (but don't take my word for it) that as long as you don't use any of the Windows "services" like print serving, file sharing, ... you should be fine.

The devil's advocate will say that the authentication process is a service provided by Windows so you need CALs for each user.

5. Can a user be member of more than one group according to which database file is opened?

Users can indeed belong to more than one group, or even belong to groups-in-groups. You need to be careful in setting up your authentication order in your FM files. FM will stop at the first group in that order that the user belongs to and will assign the user the priv set that comes with that first group match.

If you're asking if the user can belong to different groups per file in the solution then yes that works too.

6. Can you clarify the setup of any of the above?

Not sure what you're asking here. That's described in the white paper to some extent.

7. How can Single-Sign-On be implemented the easy way?

SSO can't be used unless you use an AD domain and the FMS machine is a member server in the domain and the user's workstations are also members of that domain.

[panchristo]

3. How do I allow users modify their password?

Can't be done in this setup. At least not unless you really want to learn about windows local accounts and windows scripting.

Can you please direct me to any resources for that?

Also, by creating those users in Windows Server machine, how do I prevent them from taking control of the server if they physically access it? (Maybe I'm posting on the wrong forum, but I really hope you can help...)

Thanks a lot for your answers, you really cleared things out for me!

[Wim Decorte]

You prevent them from logging into the server machine through physical security (put it in a room that they don't have access to) and you prevent remote access by making sure the group policy is set correctly.

That and how to script pw resets is stuff you can find on Microsoft Technet. Go ahead and google those terms. Don't have specific URLs handy...

If you are going to dive into that though, you might as well go with an AD and learn it proper. The learning curve will only be slightly more steep but the benefit will be much greater.

[panchristo]

You prevent them from logging into the server machine through physical security (put it in a room that they don't have access to) and you prevent remote access by making sure the group policy is set correctly.

That and how to script pw resets is stuff you can find on Microsoft Technet. Go ahead and google those terms. Don't have specific URLs handy...

If you are going to dive into that though, you might as well go with an AD and learn it proper. The learning curve will only be slightly more steep but the benefit will be much greater.

Great! Just another item on my Things-to-learn-list!

Thank you very much for your valuable reccomendations!