Single Sign On Failure with External Accounts

[fm-texas]

I am running into an issue with SSO using FileMaker server 19. for certain group users. The FileMaker server is hosted through VM using Microsoft Windows Server 2106 DataCenter.

I have setup three user groups with different privilege's set. The groups have been setup part of security group within my organization. The behavior I am seeing is that, it is always the first group list on the priority list under the Manage Security tab are allowed to login, while other users at lower priority can not log in?

FileMaker log error shows the following:

2022-02-03 13:08:25.374 -0600    Information    730    vm-001    SECURITY: Client "(NXL) [10.xx.xx.xx]" single sign-on authentication failed on database "Assets.fmp12" using "nxl [fmapp]".

Anyone has run into similar situation? 

[Wim Decorte]

What identity provider are you using?  Just regular AD?

If you move a user from the first group to the second they cannot log in?

Make sure to turn off all auto-login settings in your FM file and don't use a launcher file as these will try to auto-propagate and can lead to false negatives in your event log.

 

[fm-texas]

I am using AD. Correct, user will not be able to access if they are moved form the top of the priority list to the lower one.

Am using default "Asset" database from FileMaker. I have don't have auto login setup.

I am wondering if there is compatibility issue with Windows Server 2016 datacenter.

[Wim Decorte]

No, it is not an incompatibility with your version of server.

Having said that: what (exact) version of FMS and FMP clients are you using?

and are the clients on a Windows workstation (what version) and already logged into their machine with an AD account?

For the account where login works, what do these two functions return: Get(AccountType) and Get(AccountGroupName) 

[fm-texas]

Hi Wim,

I am using version 19.4.2.204 for the FM server and client. The same issue is occurring with webdirect where users certain users can not log in.  I checked with IT and my company and we are using Single Sign On Authentication.

Yes to your question about clients are logged in to their machine using their SSO.

I checked the AccountName and GroupName for the users who can login and they are showing the correct username and security group name.

Thank You

[Wim Decorte]

2 hours ago, fm-texas said:

we are using Single Sign On Authentication.

and

2 hours ago, fm-texas said:

clients are logged in to their machine using their SSO.

 

SSO doesn't say much; it's a generic term to indicate that users only need to authenticate once and can use various resources without being prompted again for their credentials.

Since users can log into the solution and the Get() functions return the correct AD group we know that FM's external authentication works and that FMS is set up correctly.  The rest is the setup in the file itself and that's probably where your issue is.  But without seeing the details there is very little we can do.

[fm-texas]

I am using the default "Assets" database file from Claris. There is no changes to the database. I am seeing the authentication issue on several independent databases some of which are the default ones "Assets, Contacts-file and FMServer_Sample" . The only change I made is add user groups into the manage security tab.

[Wim Decorte]

9 hours ago, fm-texas said:

The only change I made is add user groups into the manage security tab.

That and associated privilege set is the only changes in the files that are required.  And since it works for one AD group, we know the mechanism work.  Since it does not work for other AD groups then the usual suspects are:

- FM group names don't match exactly the AD group name

- priv set associated with the FM Group doesn't have the right privs (like fmapp to be able to access the hosted file)

- user doesn't belong to the AD group