oAuth and External Server Authentication

Hi there - I'm about to give up on external authentication with active directory, so any help would be greatly appreciated. Yesterday our office implemented AD authentication. All groups were created correctly and added to the appropriate databases. We then turned on external authentication account checking on our server. The system essentially works correctly. For example, on my Mac computer running FM 8.5, I go to Open Remote, connect to the server and enter my AD username and password - and all of the databases I have access to show up and open properly. Issues arise on Windows machines which are on the active directory. When a user logs in to …

Hello, 1° ) Is it possible to use Windows Authentication with FMP Instant Web Publishing ? 2°) Any good link/documentation to get started ? Thank you.

I know nothing about this subject, so for give me: can FileMaker client software support "Active directory" such that in a PC environment users can simply open FileMaker and automatically, according to their priviledge set, have password access the solution? If not, is FM Server needed? Where do I start to gain the understanding needed?

I'm looking to use ExAuth in my next project as there are several files and privilege sets that I wish to manage. However, I wish to use rla to only allow a user to view/edit only the records that they create if their priv set is "User". Typically, I'd set a rule where Get(AccountName) = record's AccountCreated. However, if I use ExAuth, can I still grab an account name? If not, how do I tag the record's creator? This solution will have a User's table (for purposes beyond account mgmt), if that impacts how I should deploy this. I can script an Account Mgmt across multi-files, if I had to. Suggestions? PS: Yes, Steven, I'm reading the white paper!

We are experiencing some unusual authentication issues. Our setup includes: - Windows 2003 domain - Using Active Directory with two Domain Controllers running Windows Server 2003 Standard - One FMSA10 (10.0.1.64) machine is running Windows Server 2003 Standard - A second FMSA10 (10.0.1.64) machine is running Mac OS X 10.5.7 Server. - Client machines are running either Mac OS X 10.4.11 or 10.5.7. The issue we have is that members of the fmsadmin group in Active Directory are not able to log into any hosted Filemaker database on FMSA10 running on Mac OS X 10.5 Server. When trying to do so you receive the, “The account and password you entered c…

I'm a bit confused over a behavior I'm seeing with regards to external authentication. Here's the scenario: I have several files in a solution, all hosted by FMS 10 on Tiger Server. I set up the GUI file to be authenticated via external authentication from the same server. It works fine. The puzzling part is why does the DATA file, which is set up to only authenticate via FMP log me in with my FMP account (which has different login credentials than the GUI)? IOW I login to the GUI as "User A" with password "X" and the DATA file opens with the credentials of "User B" with password "Y" without prompting me for those credentials. Any help on why this beha…

I have a FMS9a solution that has been authenticating IWP users against Active Directory. It has been working fine until the last few days. Suddenly now, it will occasionally refuse to authenticate users. Enter valid credentials and it just refreshes back to the login screen. Then, I'll quit the browser, reload the page, and it'll work fine. Then log out of IWP, restart browser, and it will fail. Not having any issues when accessing via FMAPP. Any ideas? Of course the logs arent saying anything other than authentication failed.

Hi All, I have an issue with a client setting up a IWP solution, and ESA configuration. They have a windows box running small business server 2003, being used as a domain controller. A second windows box runs FMS (currently FMS9A, FMS10A waiting in the wings) The plan was to use external server authentication configured on the SMB, to control access to the FMS database, but they have encountered a licensing issue, in that the SMB seems to have a limit on the number of accounts they can use for the FM group. A single group is configured on the SBS domain controller, and this group is used as the FM privilege set credential the access to the data…

Our company-wide workstation upgrade to [color:blue]XP's Service Pack 3 caused problems with FileMaker's single-sign-on (a/k/a external authentication or Active Directory). FileMaker users (and users of one other application here -- I forget the name) were prompted to re-enter their user IDs and passwords as soon as they clicked on a server name to see its contents. This happens in the "open remote" dialog box, at the point where they click a server to view its files. If they re-enter their network ID and password here (which has already logged them on and is active in the background, for people authenticated by network groups), then FileMaker submits that creden…

Hi all, I recently upgraded our server (windows) from FMP9 to FMP10. Just realized that my IWP solutions will no longer authenticate against our AD groups. I get the following error: "The account and password you entered cannot be used to access any databases on this server. Please try again." The AD authentication works for a client, but IWP logins only work against an actual FM account. The database is enabled for IWP. I have IWP enabled in the server admin console. I'm not sure what may be broken. Any tips?

Hi, I'm a newbie, I want to use my Open Directory to authenticate FM Server users I find the option: Config - BD Server - Security - FM accounts and External Server, but I dotn know where put the adresse of my Open Directory Server Txs for your help! Im not the FM admin and programmeur, im only a technicien FM Server 9 in Leopard

Hi, I'm trying to connect to a test fm database using external authentication, but without success. Here's the configuration : - FMS 8.0 on a Windows Server 2003 on which we connect as an external remote server. - Active Directory on a second Windows Server 2003. - Client connecting to the FMS using an address such as this one fmserver.ourcompany.com - Some clients are local to the same domain as the fm server, others are outsite the domain (working at home). I created a group a fmusers group in the AD and a test user (extUser) that belongs to the group. I'm trying to connect using all the methods that I know, but always unsuccessful. EG: …

I have a TS server setup with vla FMP 9 and the files are running on FMSA 9. The TS OS is MS Server 2003 SP2 and FMS9 is running on an XP sp3. I have the FMS settings set to "only display files that user is allowed to see" and when I try to connect to FMS I am being prompted to authenticate in order to display the files. Is there a way for FMP to use the users windows login to authenticate and display the appropriate files? When I click on the available file, it does use the user's Windows login credentials to authenticate and login to the solution. Is this the result of the bug reported by Steven (sticky post)? I'm hoping that this is only valid for user's workstati…

I have setup my FileMaker Server 9 Advanced IWP setup to authentication via a OS X server. I wanted to have every user on the OS X Server to have access to the database so I have made the group "staff" have full access to the database. This is not a security issue as this OS X server is solely used for users of this database. Now my problem is, I added new users to the OS X Server's ldap, and they ARE in the staff group, however, none of the new users can access the database. I know that for the previous users, the database IS using the LDAP's user base for authentication because those users do NOT exist in the FileMaker database itself. How can some memb…

Hi everyone, I have just finished setting up filemaker Server 9 with external server authentication, and I am quite pleased with the results! However, I have realised there is quite a substantial problem in my solution now. Basically, I have a "helpdesk" log where users can allocate tasks to each other. Then, depending on who is logged in, they will see any tasks allocated to them. However, this used to work via a relationship involving an unstored calculation field with the formula "Get(AccountName)" which would return the account name. With the external server authentication however, the account names are the individual user accounts for windows (as used …

I'm looking into an issue we're having with SSO for Filemaker in our Citrix farm. We are publishing the Filemaker 9 client through Citrix v4.5. The clients connect to a single Filemaker v9 server. All clients are Windows XP SP 2 and all servers 9 (both Citrix and Filemaker) are Windows 2k3 Server. None of our users have the client installed locally and all databases reside on the Filemaker server. We're attempting to implement single sign on for all Filemaker databases but our users are always prompted for credentials after selecting "open remote". I've been able to connect successfully using single sign on with a locally installed Filemaker 9 client so I'm sure that…

Hi everyone... I am almost embarassed to be asking this one. When I started this solution I didn't know anything about filemaker - and I have been gradually learning by reading the "missing manual" and the "filemaker 9 bible" amongst other sources, and of course this forum. However, my initial application for filemaker was very limited. Over the last few months however, I have been asked by the company I work at to continually expand this - and it now includes every department of the company. My problem is I started off with a multi-file environment, as I didn't quite understand the methods filemaker uses. As such, I now have 16 seperate files containing di…

I have discovered a new "feature" that has arrisen as a result of a recent update with Windows XP Service Pack 3. When using external authentication between a Windows XP Pro Client and FMS9A running on Windows Server 2003, traditionally when the client entered the servers details (I.e. open remote hosts, then clicked on the server name) immediately the client would be presented with a list of databases available to that client based on the clients credentials -- without having to authenticate. of Course, opening any of the databases would result as expected, the client is silently authenticated, resulting in a seemless operation. However (And i have confirmed t…

It has come to my attention that a considerable number of questions have arisen in some other venues regarding External Server Authentication. Here are a few pieces of information that are hopefully helpful: 1. There is a Tech Brief ( not so brief at 55 pages or so) on the FMI web site that deals with the mechanics and the concepts of External Server Authentication in great detail. We recently updated it for FileMaker Server 9. I had a small hand in this; however the indefatigable and Uber-knowledgable Wim Decorte deserves principal credit for constructing and explaining the various scenarios and technical considerations. 2. People sometimes confuse External S…

I have a user whose privileges I would like to increase. I changed her group assignment in Open Directory to achieve this. She retains her old group. Using inspector in workgroup manger she is in the proper group as seen from both her user and the group perspective. Is this cached with FMS somewhere? Any ideas how to solve this? Thanks, Drew FMS is on Tiger Server OD is on Leopard Server

There continues to be confusion is some quarters relating to authentication to "LDAP Directories" and attendant problems experienced thereby. FileMaker Server [color:red]does not authenticate to generic LDAP directories. It authenticates only to Open Directory, Active Directory, and to lcoal Accouints on the server itself. Please see the External Authentication Tech Brief on the FMI web site for more details. Thank you. Steven

I am using Open Directory to Externally Authenticate my FileMaker Server databases in an all Mac environment. In most cases when a user is part of multiple Groups, the Authentication order set in that database is observed. However, when a the GID of the lower privilege group is lower than the GID number of the higher privilege group, then the user is given the lessor privilege. This happens regardless of the Authentication Order set in the database. Is it necessary to to have the GID of my OD groups created in ascending order based on access rights?

Just a note regarding the issue that several have raised about members of the fmsadmin Group having to authenticate to access the Uniform Admin Console of FileMaker Server 9. I have not forgotten about this issue and I am continung to investigate about what must be the proper location for the group itself: the local server or the domain controller. I hope to have more to report on this soon, Steven

I have a machine running windows XP and every time I try to launch FM8 and go into the databases that are on the server it locks my active directory account. All of my databases use active directory for authentication. If I take a different computer and log in with the same cridentials it lets me in fine. I had changed my active directory password and I have had trouble ever since. It is acting like my computer is still trying to pass the old password to the server in some way. I have: -Removed filemaker and reinstalled it -Moved my data and deleted the profile off the computer and started fresh with a new profile. -Restarted the filemaker server…

I have a database that is using IWP and some filemaker clients connecting to it via the server. I have groups in Active Directory/Workgroup Manager. One member has access to the records in the database and the other members of the same group do not. Also I have members based on department--- so the group EOY_ACCT should have access to edit all records that dept="acct".... some members are in Acct and Theatre, but they only get access to Acct- not Theatre Does it lock the records? Any help would be greatly appreciated.

Here is my "problem": As far as I can tell, if a user is a member of more than one account in a FileMaker file, it gives that user the privilege set of the first account it comes to in the list of accounts. Is there a way to make FileMaker prompt the user with a kind of "which account do you want to use today" prompt window instead of just going with the first one that matches the user? I mostly want this capability as an administrator of the file, so I can quickly and easily make sure all the different user roles are working correctly. Right now, I have to shift myself around in the AD groups to get the privilege set I want when I open the file. Thanks, Joni

I am working with a client to implement external authentication. They are running FMS8 v4 on a Mac OSX workstation (10.4.7). They have an existing Active Directory (AD) server which is handling all the auth services throughout their network. I had the client setup a test group and test user in AD and I created the same group in FileMaker. The client tested the AD account to be certain that it was able to access network resources and all tests were successful. I have not been able to login using the external test account and am trying to determine the issue. I did find a KB article @ FMI which explained that in order for a Mac OSX box to authenticate against an A…

Hello people. We're switching to a virtualized Linux enviroment and Filemaker Server is the only problem yet to be solved. Is there a way to run FMS on Windows XP and get it to access a Samba/LDAP (DC) Server for Authentication? Has anybody made an attempt in running it in WINE? Thanks!

Hi-- I'm trying to use external authentication using Windows domain accounts containing alt security identity information. Our Windows domain accounts are name-mapped to MIT kerberos KDC accounts. If I open a database file while logged into a Windows domain account using the Windows domain credentials, external authentication works as expected. If I log in using the name-mapped kerberos credentials, the database access fails. In both cases, running "whoami" from the windows resource kit reports that I am the same using the same account and belonging to the same groups. Any help would be greatly appreciated. Thanks, Andy

My first question is a little complicated mainly because I don't fully grasp how the network is setup. It's a university Active Directory network with 20,000+ names in the directory. I have a database which needs accessed by 200+ students each semester and I'd rather not create a group each semester. Our department is running authentication through a Mac server which is connected to the active directory. For our normal FMP databases we can simply create a group on the Mac server and put the users from the active directory into that group. Is there a way to allow anyone in the active directory access to a file? My second question would be how to script events based on…

Active directory is working and I am able to authenticate remotely via an fmp9 client. In testing our transition to fm9 server from 5.5 server I have set up the server on several different machines all with varying results. The main problem seems to be SSO. Depending on which machine the FM9 Server resides will depend on whether the user is automatically authenticated without having to enter a password or with having to enter one. In both cases the domain authenticates. It appears to me that both machines are set up the same and joined to the domain the same. Has anyone seen issues like this before? Thanks, Paul

I have install FM Server 9 & FM Pro 9 on 14 PCs. I want to allow only 2 user to be able to Read/Write on the database. How can I do that? I have read many PDF even Server External Authentication Tech Brief but nothing is helping. I am new and I need step by step on how to setup. Can someone please help?

We have 13 PCs install w/ Filemaker Pro 9 and have Virtual Machine hosting the Database w/ FM Server 9. Everything is install however I don't know how to setup restriction on the 11 users to access to database. On the other hand, I would like to setup 2 user to be able to access to Database w/ Read&Write Access. What should I do? Is instruction on it?

Oh CRAP! steven I just read your post re Single Sign On and Mac OSX. I have to say -- no where in any FileMaker documentation is this mentioned; only on here - that will teach me for not coming here first! We've got a mixed environment as well. XP Professional users on an AD domain; connecting to FM on our terminal server. I've been trying to get single signon to work for a couple of days now; and of course my headaches surfaced when attempting to have the users access the databases hosted on our XServe. In this day and age with active directory and LDAP integration; these sorts of things should be a lot more seemless. Looks like we are going to…

The External Authenticated process doesn't allow the user to change password, so trying to enforce the "Must change password on next login" will cause issues, or allowing the user to change the password will also cause problems. The question is: Does anyone know of a way to allow users to authenticate or change their password remotely from the web? I guess Filemaker is out of the loop now. What, am I looking at .NET now? What was Filemaker developers thinking -- am I expected to have all my users change their passwords locally at the Filemaker server? That's ridiculous. Where do I even start to look in order to accomplish this task? Thanx.

We have a Filemaker server serving a database. The users (populated via LDAP) are in a group (FM_Dataentry) on the Mac server. Filemaker database is assigning permissions via the External Server and specifying that group (FM_Dataentry). They logged into the database using their LDAP login and password without any problems …. UNTIL this morning when we did an unexpected reboot. The login/password screen just blinks at you. It tries and comes back- no error, no message- nothing. I have tried making a new group on a test database on the server and can recreate the issue. It’s like the Filemaker Server is not recognizing the group on the Mac Workgroup manager. …

When any fields in a record is changed at all, I want to save who made that change in the "ModifiedBy" field in that record. Before I set up account authentication using Active Directory, this worked. Now, the "ModifiedDate" field is changing to the correct date, but the "ModifiedBy" field is staying blank instead of updating with my account name or the AD group name. I'm getting nothing. Any ideas what is causing the problem and how to resolve? Thank you in advance.

Ok basically I have server 9 and pro 9 on a test server running windows 2003. I have the directory services configured and it passes the self test form the server admin console. I also have the filemaker server being published succesfully to directory services. now with the database i have enabled external authentication with the group superadmin. in active directory I have created a group called superadmin and added members accordingally. from what i understand this is the correct method of external server authentication. However when i try to log into the database with my AD user name and password it says i'm unable to log in with this username and password. Also i…

I am running a Filemaker Advanced 9 server on Mac OSX 10.4.x. It is bound to our AD. I have a DB setup with authentication to a group in the AD. I log in to my WIN XP PC which is part of the same domain, and try to open the DB - but authentication fails. However, at the login window that is presented, if i enter my domain username and password, i can access the DB. The authentication error shows my username as my AD username! Any ideas?!?! Thanks in advance.

I currently have FM server Advanced version 9, which is being hosted on an Xserve Server. The Xserve is bound to active directory and the FM server is set to accept external authentication. My issue is when I try external authentication using the filemaker client on a mac it works great. However, when I try using a filemaker pc client to authenticate into my databases it will always lock my account from Active Directory even if I put in the right authentication. Sometimes it only takes 1 try (regardless if it's successful or not) to lock my account from active directory. Can anyone help me out in trying to figure this out. Thank you in advance Carlos C

Hi there. I have just recently migrated our FM7 server to a new box. Previoulsy all setup on 1 server and external authentication to AD worked like a charm. Now I have split the setup onto 2 servers - 1 web console - the other the the web publishing engine and server - setup B from the Web Publishing Manual. I have copied across all the databases (file copy) and I can open them all nicely from the File Maker client on my PC using accounts that are authicating against AD. The problme comes when I try and use IWP to open the databases, it simply keeps asking for user name and password. If i use an account name that is internal to FM server - works OK. The bottom line is t…

Hi, I'm not sure if it's possible what I'm trying to do but here it is, first of all I'm using FM server and not advanced. I'd like to be using an ODBC connection, what I have is multiple "users" in a table in Filemakers, fields are called "name" for username and "jobno" for password. I'd like to use these fields to serve as an LDAP, so that I can authenticate with Joomla as my CMS and Rumpus as my FTP server trough the FM database. Is this possible with an ODBC connection that can serve as an LDAP server? Robin

Hello Is there a way to get the User name of logged in User with external authentication? Get( AccountName ) = PC Account Get( UserName ) = Filemaker Preference Name Get = REAL logged in User Thanks for your help! Ron

I'm wondering if anyone has had success with this type of scenario: We have 12 Active Directory domains in our forest. We host FMPro 9 Server from a Mac which is joined to Domain #1. What we want is a Universal group in AD in Domain #1 that contains Global groups from Domains #2 and 3. The idea being that we manage the privilege set for database access from Domain #1, but the admins in Domains 2 & 3 manage WHO has access. Essentially this works out to two global groups nested inside of a universal group. Will logins work if FMPro is set to look for the nested group name or must my groups be unnested?

I have an FM 8 Advanced Server setup with a number of databases on it. Most of the databases have internal accounts setup on them. I recently created a database that I wanted to utilize the external authentication with. I set it all up and it was working perfectly. My problem... When someone outside of the domain attempts to login to a database it auto-populates the "Username" field with their windows username and the password field with 3 characters. Is there a way to stop that from happening? Ideally I don't want SSO at all, I was basically using the external authentication so that my internal staff don't have multiple passwords to worry about. Any ideas…

Well, I am stumped here. I have a client that may have to run their own Mac/Win server as their central IT dept is charging too much for hosting servers (cost recovery). I'd like to deploy FMSrvr using external authentication; I may need to run this on a Windows machine. The wrench in the plans is that the central directory services is Novell's eDirectory. In fact, the IT department removes the MS Client software on all workstations and installs the Novell one. My question: Can FMSrvr on Windows talk directory to eDirectory (LDAP) for the purposes of external authentication? All the documentation mentions only AD. As I also don't want to manage an AD installation, is…

IT Auditors from the State have descended upon us and are insisting that our FileMaker databases be setup to: 1) enforce a minimum password length, complexity, and age. 2) lock usernames after 5 incorrect login attempts I don't see a way to do that using internal FM authentication, so I've experimented with External Authentication in OS X Server OD. Everything seems to work, except that the FileMaker login doesn't enforce the OD password changes/expirations/etc. It seems to happily authenticate the first time, even though OD says that the password must be changed the first time. Many of my FileMaker users have no access to anything but the FileMaker da…

I have a FileMaker 9 Server (running on Mac OS 10.4 Tiger, not server) that is set up to externally authenticate to our Mac OS 10.4 Server (configured as an Open Directory Master). For the most part everything works great, I added the necessary groups (fm_supers, fm_admins, fm_casemanagers) to the Tiger Server, assigned the proper groups to the users and everything worked perfectly. The problem comes when I need to change the level of access an existing user has. For instance, I removed one of my members from the fm_casemanagers group and then assigned them to the fm_supers group (the user was not logged into any database while I made the update to group members…

Hi, I've just been splitting our Solution into SM (Separate Model). There are about 10 DB containing all the Data hosted on a W2k3 Server with FMS. I've now got one GUI file for the "Client Side" getting info from the FMS. The Problem is that the users are getting 10 Login boxes at start up, because obviously the FMS Authentication only works when the File is hosted on the Server. Has anyone come over this issue? How can I make it so the user only enters his/her Login info ONCE? Regards Ron PS: Why so many Data files? Because I've got several File Managers running on the Server and I want them separate.

Dear Forum, currently we run FileMaker Server 8 on Windows 2000 Server which authenticates against ActiveDirectory. It works fine. Now we want to change authentication against OpenDirectory. With the File Maker Windows Server I left the AD-domain and joined the OD-domain. According to the "Server Authentication" guide, the only relevant configuration option in File Maker Admin is, where you have to give the external server's IP or name. I changed it from the AD-DCs IP to the OD-DCs IP. By OD-Workgroup-Manager I added all groups to the OD, also existing in AD. I assured that the groups are also defined on the databases (of course, it wouldn't have worked ag…

I have around 50 users variously interacting with around 10 databases. Using internal (FileMaker) authentication, it is becoming increasingly cumbersome to maintain passwords across the various solutions. Resetting a password for someone, for example, may mean that I have to go an make the same chnage in each of 10 databases. For an easier life for myself and my users I am looking at implementing External Server Authenication. But after reading the FileMaker Paper on the subject, I still have a couple of big questions: (I apologise in advance if this is a bit long or confusing) 1. As these databases are in constant use now, I cannot afford to have any curre…

Hi guys, Have any of you tried External Authentication in Conjunction with Citrix? Is is necessary since users are Authenticated via the Citrix server anyway? I have been trying to construct an arguement with my coworkers about moving to External Authentication but they do not want to do it.

I have posted this before. However, even after working on it for sometime and reading various technical briefs, I am still encountering the same problem. Here is the scenario - We are converting a set of FIleMaker 6 databases to FileMaker 7 and want to use external server authentication. I have three machines. Machine 1 - Mac OS X Server 10.3.9. This server runs the open directory services and has all the groups and accounts configured as part of open directory. Machine 2 - Mac OS 10.4.10 - This machine runs the FileMaker Server Advanced 7. All the databases are served by this server. Machine 3 - Mac OS X 10.3.9 - This machine has the FileMaker Pro 7 client …

I have already posted a similar thread. But I am posting this after reading several articles and watching videos. Here is the scenario - We are converting all our filemaker 6 files to filemaker 7 files. We would like to use external server authentication. The open directory services is already up and running. I dont know if it is working properly because we never used it. I have three machines - Machine 1 - Mac OS X Server 10.3.9 - This machine runs the open directory services Machine 2 - Mac OS X 10.4.10 - FileMaker Server Advanced 7 runs in this machine Machine 3 - Mac OS X 10.3.9 - FileMaker Pro 7 client is installed in this machine and this machine access…

Hi All, I would sincerely appreciate anyone shedding some light on my problem. We are converting some databases from FM6 to FM7. So, we decided to go for external server authentication. I refered to thetech briefs concerning this and havetried for nearly a week with no luck. We have set the groups in the work group manager and introduced changes in filemaker file and also set the settings in the FileMaker Server7 advanced. Here is the problem- In the Directory Service tab of FM Server 7, I entered ip address of domain controller for Directory Service Name 389 -LDAP Port Distinguished name - I tried various combinations 1. ou=FileMaker,dc=abc,dc=def,dc=…

Hello! We just bought a FM Server 8 which will host our database on a LAN. Now I have to install FM Pro 8.5 on each workstation. What I want to happen is: Each staff member starts his workstation, logs onto his user account and automatically FM Pro starts and logs onto the shared database on FM Server 8. How do I organize this? The FM Server is on a Windows XP, the users all use Windows XP. Thanks, Hans

Hi All, First, thanks in advance for any help I get. We're running FileMaker Server 8 Advanced and using External Authentication to authenticate clients in our Windows (Active Directory domain). We've been checking the Security Log on our FileMaker Server and noticing some strange events. After users open up some of the files, an event with an id of 537 is generated. The status code is 0x80090308 and the logon process is a few (seemingly) encrypted characters. We're still able to use FileMaker (and no users have complained about connectivity issues) but we'd like to try and clear up this strange error if we can. Thanks, R Kaplan

Does anyone know if there is a way to enforce password changes with External Authentication from IWP connections? If this is not possible, how about a recommendation on a strategy involving passord changes that would not be so labor intensive from an administrator's perspective?

I have a somewhat complex scenario that I would like to simplify: Right now I have a single file database that contains ~200 filemaker accounts for the different users in our department. These accounts are used for scheduling equipment reservations via IWP and for accessing equipment workstations through a filemaker pro client in kiosk mode. I would like to move this to an external authentication scenario. The equipment workstations are XP pro machines but the attached hardware is set up such that only one specific locally authenticated admin account can control the hardware (don't ask me why the manufacturer set it up this way) If I use external auth in my f…

Wanted to see if anyone out there has experienced or knows of a way to fix a quirk we are seeing with Active directory authentication for our FileMaker Databases. Basic setup: Currently we are using FMP Advanced server and the Instant web publishing, to allow our employee's to enter their time and billing information for internal time auditing. currently we have the Authentication setup to interface with a windows 2003 AD domain. That being said the solution works well with the exception of our little quirk. Explanation of our quirk: Basically what is happening is that if a user fat fingers their domain password (only on the Instant web publishing log…

I have external authentication (AD) working with about a dozen databases. I am trying to set it up on two additional databases and it's not working. The same groups work in other databases, just not in the two problems. I checked the logs (/Library/FileMaker Server/Data/Event.log) but it only holds the successful authentication information. I am looking for the error in the failed auth attempts. Does anyone know where FM Server 8 Advanced (Tiger) would log it's authentication failures? tia Jack

I was wondering once we use AD to authenticate the user, is there any way of pulling the user information out of the AD Object component? When creating my users table in FM, I would rather it pull the data from AD considering that the name, title, email, location, phone, etc etc is all stored in AD anyway. TIA.

Hi guys, Here is a situation that I am coming up against... I have been sellig the idea of moving to External Authentication for the redesigned application that I am building. They have been cautious with my suggestions of moving to EA/AD. When I finally thought I was getting close to them agreeing with me, a point was made in which I could not directly give an answer for. Currently, the system admin can go and troubleshoot a user's account by logging in as that particular user and seeing what goes wrong. Their concern is that if we move to EA that they will no longer be able to log in as a particular user because the AD password can not be shared due to …

Hi, I just need to confirm that the following assumptions are right for external authentication using Active Directory. Assume I already have everything setup (Windows domain with domain accounts/groups created in AD and equivalent local accounts/groups created in FM). The domain will be "domain.com" The domain user account will be "[email protected]" The group name in AD and FM will be "FMgroup" The user account in FM will be "username". This account will be externally authenticated in AD. The user "username" will be a member of the FMgroup in AD 1.- The user logs into Windows domain. The user would not be required to log to FileMaker when openin…

Hi, I am building a web site for students in our short-course program to be able to log in & view their student records, etc. The front end of the site will be on an independent server running Apache & PHP. The site will use XML (or XSLT) to query a separate Filemaker database being served on another machine, using FM Server 8.0v4 Advanced running under Mac OS X 10.4. I understand that Server 8 Advanced can use an external auth server (i.e. Apple's Open Directory, in this case) to control user access to a database. Is there a way to make this same authentication process work using PHP calls to Filemaker Server? I.e., for example, a student goes to w…

Everyone, my company just rolled out a wave of Microsoft Updates: KB926255 KB929969 KB923694 KB925398 KB925454 KB920213 KB924270 KB923980 And now our single sign on External Authenticaion is not working. The accounts are being locked behind the scenes due to failed logins, and then the user is presented with the username and password dialog box to see available databases. This issue was just discovered this morning after the patches, and I don't at this time know exactly which update caused the problem, or if it's affecting both our Win2K and XP clients yet. When I know more I'll post it. I would be very cautious if you use EA and your us…

Hi- Is it possible to authenticate using a single user from a larger AD group, or would I have to create a new group with just that user?

Hi, I am new to FM and am now responsible with setting up a FMS8 on a Win2k3 server on an AD. Clients are WinXP but will use FMPro8.5 as published Citrix app. EA ("scenario 2") will be used since all users have AD accounts. Assuming groups are defined on AD domain controller and not on local server, how many groups are required? Is this related to how granular the security requirements are? From what I understand, FMS recognizes only group names and not usernames for authorization. Is "fmsadmin" a special group name that must be used for the administrative security group? Is this a local group on the server or global group on AD? Thanks in advance.

I have a few questions about how I can receive variables from external resources. I am running a few layouts via the Instant Web Publishing interface. It is a scholarship application for students in my department. The file is served up with Filemaker Server 8. The student will simply click the link and a startup script limits access to most options except data entry. The file is accessed using the Guest account. Currently I have them entering their own Student ID # (which I use as the unique ID), however, this doesn't prevent them from accessing other students records if they happen to know other's ID #'s. I have the potential option of receiving information fr…

I am setting up a file an considering deploying external server authentication for the first time as it seems to be the suggested method for management and security. I have a few questions. 1. If my user is logged on to there desktop and open my solution do they get challenged for there credentials again or does filemaker server automatically use the credentials of the logged on desktop? This would concern me if someone leaves there desk and an unauthorised member of staff opens the database. 2. I would like to log user preferences ... would i have to use the AccountName as the ID for the preferences? Note: The preferences will not store secure in…

FileMaker 8.0v4 Server Advanced on Windows 2003 server Client running Windows XP, SP2 When client was switched to a new computer, external authenticated no longer worked; in addition, client was then locked out of her domain account. The problem is only on this one computer and locks out any user who attempts to use SSO on this computer. The databases can be accessed using the domain account when SSO is by-passed. The problem has been fixed by de-selecting the security setting on the server "Display only the databases each user is authorized to access". However, we do not want to eliminate this security feature and we would like to understand what the problem…

I've got FM Server 7 running on a Windows 2003 box. This has been stable for a couple of years, and we have been using external authentication to domain groups in our Active Directory for the databases hosted on the server, as well as authentication through an fmsadmin group in the Active Directory for the server administration tool. Recently we have been unable to login to the server administration tool - we get a "login failed " error message, or just a failure with no error message - but the external authentication for the databases is still working fine. We noticed this problem after application of the last bunch of Microsoft patches, but we don't know if t…

I've got Fm7 talking to Active Directory and users in the primary domain can authenticate without issue. Recently a subdomain was created for users in another office. For some reason none of those users are able to authenticate. We're using the "SUBDOMAINUSERNAME" string for logging in, but it just doesn't allow them in. I've created a group on the subdomain, added it to the list of available accounts/groups on the database, and put user accounts in the group. So far nobody can access anything if they are a member of the subdomain. FileMaker support gave me the "we don't support external authentication" line, which was less then satisfactory. My …

Is there any way to disable SSO on Filemaker Server 8 ? This is the scenario: *Filemaker Server 8 (using External Authentication) *Windowns Domain controller using Active Directory *Filemaker Pro Advance 8 as the client. When I'm logged into my Windows XP machine, with my username/password that has both access to the domain and to the filemaker database. it does not ask me for my username and password when I open the filemaker files hosted on FMS-8. This would be great if I was the only user in my workstation. However, I don't like the idea that if someone leaves their computer on and not locked, someone else could just go and log-in into Filemaker.

Here's our setup: FileMaker server: Mac OS 10.3.9, FileMaker Server Advanced 7.0v4 Open Directory Server: Mac OS 10.4.7 FileMaker clients: Mac OS 10.3.9, Mac OS 10.4.7, Windows XP SP1 & SP2; all FileMaker Pro 7.0v3 The FM server is set to only show users the files they have access to. Each user is a member of 1 or more groups on the OD server. Each of these groups is set as an externally authenticated account in the relevant FM files on the FM server. The users/groups/files are all set correctly because any user can log in to the FM server and open the files they have access to from FileMaker Pro on any Mac client. Here's our problem: Wh…

I have multiple databases setup with about 40 users on both Win/Mac platforms. The DBs are served from FM Server 8 of a dedicated Win2003 server. All DB's use external server authentication of the server's local domain and so far I've been creating user accounts manually and it has been working great. But as the number of clients increases managing users is becoming more and more tedious, especially when users request a password change! It would be great if I could somehow manage these accounts from FM client. I have a bunch of vb scripts to automate tasks, but I just can't get filemaker to run them in the context of the server, i.e. the scripts run on the client machine.…

I'm currently re-developing a integrated 20-database solution from FMP6 to FMP8 for use on a central server. My current head-scratching is due to the question, "What should I do about user accounts?" I've been doing a bunch of reading (i.e. the Technology Brief on Filemaker Server External Authorization) and am thinking Ext Auth will not be my solution. From what I understand, Ext Auth has to do with authorization of network OS accounts, correct? Why I don't think it'll work: Originally, the databases were contained on a Mac OSX server running FMS5 (not sure if the new software will be FMS8 or FMSA8) and accessed by any one of four computers over the network. T…

Hi, I had a G5 running FM Server 7 in my office authenticating off of Windows (NT?) Active Directory at my company.. the group name was of the syntax companygroupname My company setup a Filemaker server on a windows box on a faster network with better backup routines.. so I figured I'd move my files.. the file that authenticates off of Active Directory stopped working. This is all the info I have right now... the authentication settings on the Windows Box (filemaker accounts only vs. filemaker + external, etc.) are the same as on my mac. Unfortunately, the PC is offsite and I don't have server admin rights, so I have to advise them as best I ca…

Hello I´m still running a NT4 domain controller in my network and would like to use it for authentication for my new FMS 8. Is that possible, and if so: how do I set it up? The admin manual isn´t much help I´m afraid. .

I am having no luck getting external authentication to work using FMServer 7 running on an OSX server authenticating against Windows Active Directory. I am presuming it should be possible to login to the FMPro file(s) without seeing any FMPro username/password dialogue box at all, provided the user is already logged on to the Windows network. Am I expecting too much? or just missing something? Can anyone talk me through it?

Hi, I would like to know if there is a way to use Windows credential instead of typing username and password on the home web page of IWP. Actually my users have to enter their username with this syntax: [domain][username]. I tried to configure IIS with Windows Integrated Security with no success. I use the external authentication function to define my users within my databases and it work very well with my Active Directory. Filemaker Pro clients can open database without entering username and password and security is now transparent to them. I would like to have the same result with Instant web publication. I’m using Windows 2003 SP1 with IIS 6 and File…

Hey all. I was wondering if there was a way to log account passwords. Sarah

I am trying to set up External Server Authenticated accounts using FM 8. I tried to build several accounts and then when I sent to save it would not accept my ID and password by running to server to check. I had to have a FM authenticated password to get this to work. Am I doing everything right? Can you all give me some tips for setting up External Server Authenticated?

I have a timesheet database to track the work done each week by each employee for 70 plus employees. Each employee can access his own record but not other employees. The directors can check all the records from their own department. My plan is to set up 70 passwords and define the same previleges for each password, except directors'. I will then write a script so I can decide what records they can access based on the passwords they use. It is not hard but it does not feel right to me. What if we have 200 employees? I just define password 200 times and set privileges for each one of them? The script is going to be very long too? Am I missing something here? Thank y…

Wish this was possible, seems like such a natural feature to have, even more so than authenticating off an LDAP server. Of course, you could do a script that checks against a password field on another file's custom users table, but it seems less secure/elegant than just using the built in security. Does anyone use one file to authenticate multiple solutions?

Hi, I am upgrading from 5.5 to 8. I administer a Windows 2000 domain. I would like to use the external authentication feature of FM Server 8. In my current version, I use SecureFM to eliminate all menus, and a personal logon system to authenticate users and audit / script user functionality. Users do not access FM files hosted in the server directly, but using an opener file. I do not understand how should I implement this in version 8. This are the steps that I do / do not understand right now: 1.- I create the privilege sets in FM. Is it compulsory to also create user accounts if I am going to use external authentication? (besides the administra…

I have an external Account in FileMaker database that matches a group on our Mac OS X Server xServe. There are three users that are members of this group. The external Account is assigned to a Privilege Set specific to to the OS X server group. Works great. However, by using External Auth, am I losing ability to use the Privilege Set password policy options (Allow user to modify their own password, must be changed every x days, minimum password length x characters)? When I set same account to be a regular FileMaker account, Privilege Set password policy options then seem to work. Open Directory password policies on OS X server apply to the server only I …

I want "Student" account to only show "Job Request.fp7" when they login. However "Student" needs access to "Job Request.fp7" and "Directory.fp7" because Job Request has a value-list populated from Directory. So because I gave read-only access to "Student" in "Directory.fp7", it shows up in the remote open list. I took out access for Student, and it doesn't show up... the problem is, I don't want "Student" to have access to "Directory.fp7" but "Job Request.fp7" populates a value-list using a File relationship to "Directory.fp7". So everytime "Student" tries to open "Job Request.fp7" FM7 tries to open "Directory.fp7", but "Student" doesn't have access. How can I make…

I was using FileMaker server 3.0.. My FileMaker files are open to all users in my corporation (Windows Active Directory environment). Any domain user can modify or even delete my files if they know file path to my files. I just don't feel comfortable about this, even though I know they won't do such things. Now we are migrating to FileMaker Server 7.0... Is there any documentation somewhere that I can review to secure files in the Windows environment? Thank you. Jackson

Hello, I've looked through about every post concerning this issue and can't seem to find what I'm looking for. Here is my problem: We use windows Active Directory, and let's say for example that it has a dns/domain name of example.net however, it has a netbios name of XMPL I have server 7 / server 7 advanced ( tried with advanced and without ) installed on a Windows Server 2003 box. They have been fully patched. The server shows up in the hosts listed by LDAP just fine, with the correct dn. Its the authentication that doesn't work. I have created groups in the domain and added domain users to them and it won't authenticate. After that di…

Here is my problem: I have external authentication set up but I want all my users to log in through ONE external group. Reasoning: we only want to use LDAP to get the person into the system. Once they are in, I can direct them through other groups set up inside of filemaker. The reason why I am doing this: In one table, I may want a group of users to see and search on "Current" records, but then ReLogin to another group to see "Archived" records. All my information can live in one table but I can filter the layout view by having them log in to another filtered group. This ReLogin process needs to happen inside filemaker, not from the external server (seem…

I am trying to get external authentication working with Server 7v2 on Mac OS 10.3.4 with a Mac OS 10.3.6 server set up as an authentication server. Suggestions from similar posts have not helped me here, so if some of you have been successful at getting this to work, please let me know what the things are that I should be checking. My OS X Server is has a static IP and a dns that is registered with our isp. It is set up as an Open Directory Master with LDAPv3 and an Administrator account. My FM Server is set up to use Filemaker and external accounts. Under Directory Services, my settings look like this: Directory service name: dir.mydomain.org Dist…

Hi, I'm having problems getting External Authentication to run properly and consistently. Here's the configuration: FMS7 running on NT4 with latest sp, IIRC, but see note below * FMP Groups set up in Active Directory on the AD machine FMP Groups set to logon as a service on AD machine Database files set with identically named Accounts as AD FMP Groups, assigned priv set with varying levels of access FMS7 set to authenticate using FM and External Authentication After monkeying around and applying various patches (server v2 patch, client v3 patch) I got this to work - for awhile, anyway. What's happening is various Groups will no longer authenticate…

Hi In my solution on FMP6 I had around 5000 users. I built a whole security and permissions backbone on my own. Now, with FMP7 I don't need it anymore...But there is a small problem.. I don't want to create 5000 new acounts... So, my question is If I have a table with all the users and their password, do you think there is a way to link between this information and the built-in security in FMP7? Is there a way to give Group permissions in anyway (and still be able to login with any account?) am I making any sense...??

I have a LDAP Server in my enterprise and FileMaker Server. I want the same passwords on the two places. I don't understand the utility to registrer FileMaker Server on LDAP Server. Explain me this and the processus to make this. Thanks !

First thing is I am a producer, not a programmer, so my question will not be couched in technical terms. But I have an issue concerning a runtime FM database distributed on a CD ROM, and don't feel my programmers' explanation adequately explains it. This is a Membership Directory produced for a client who distributes it to their members. The first time someone inserts the disc into a PC (they said also Mac but may be mistaken) they see a log-in screen before they open the program. All they have to do is hit cancel to proceed, but there is no reason for this screen to be there and we would like to remove it. My programmer says inserting the disc is automatically creating …

This is a continuation of this tread . Thought I should move it here for a continued discussion about an algorithm for propagating account and password changes to multiple files in FM7. Fenton & Vaughan, If I understand the algorithm correctly, this is how it works: New Account The name of a new account is entered in a field The password for that account is entered in a field A group is selected for this account A new account is created with that name, password, and group in the current file A new account is created with that name, password, and group in every other file Change Password A global is set with the current account nam…

Hello again, Hope you're not too sick of me yet, here's another issue. I'm reading that FMP 5.5 and 6.0 will support LDAP or Windows Domain Authentication. I am not 100% certain, but I think both will allow the user to log into the specific server first (with User Name and Password), and then log into the FileMaker Server. Am I off the track here? If this is the case, it would obviously increase security of FileMaker with additional layer. Which technology is better and easier to implement in MAC/PC mixed environment: the LDAP or Windows Domain Authentication? Thanks

I've designed my own login in system for my database. It's made up out of several fp5 databases which uses the global fields SessionUsername and SessionLevel to track users and for their access rights. In SessionLevel I store a number from 0 to 9 which represents the access level of the user (0 = no access to the database, 9 = all the rights). Now I'm designing a database for the whole company which will be used by almost every department. In this database I'm also going to use the same custom built login system to track users and for their access rights. But with a small difference which makes it more complex. I want to have for every department a seperate …

I have a database that has sensitive information in it and I want to make it password protected. Instead of using the filemaker pro access privledges I would like to tap into our corporate LDAP authentication server for access provledges that way everyone just has to remember one password instead of several. All of my IT buddies are doing it with their MS Access databases and the Windows IIS Servers. I want to show them that FileMaker Pro can do everything that Access can do and more. I have all of the info for our LDAP server but I don't know where to start with it all. Is this even possible? I can host this solution from either a Mac or a Windows 2000 Server. In additi…