I'm having trouble getting external authentication to work on FilemakerPro Server 7. I am attempting to use Windows domain authentication.

* I have the user setup in the database for external authentication.

* The user is setup to log in as a service on the fmpro server and domain controllers.

When I attempt to log in, the user doesn't authenticate, and keeps getting reprompted for username/password.

Any ideas would be very helpful.

Thanks,

Enzo

Check this:

- the user belongs to a domain group

- does the FM account set up to authenticate externally match the name of the group the user belongs to?

- is that account enabled in the FM file?

- is the privilege set associated with that account set to allow log in to the file?

- is the FMS7 box a member server of the domain?

I've verified that I'm meeting all the Filemaker requirements for external authentication. From the NT security logs, I can even see the filemaker users successfully authenticating in active directory. Filemaker Pro just keep reprompting for a logon.

I called Filemaker about the problem, and they said it's probably a permissions issue, but it would be the end of the week before they could help! I guess their support isn't what it used to be.

If anyone else has had this problem and found a solution, any help would be appreciated.

- Enzo

Are you really running NT? Or Windows 2000 or Server 2003?

I'm not sure the AD on NT is the same as 2000/2003 and those are the minimum requirements.

Also if you are running 2000/2003: check the resultant set of policies since you've added the users to the 'log on as a service' on both the local machine and the domain. One might be conflicting with the other. For a pure Windows AD network, the 'log on as a service' is not even necessary.

Is the FMS machine part of the domain?

Thanks for your reply. I'm using Windows 2000 SP4 on all of the servers and clients. The "log on as a service" right is not a problem. Windows 2000 logs an error to the security log when a user doesn't have this right. This error is not appearing.

What seems to be happening, is that the FM Server is trying to authenticate the user locally, and the server logs the security event, 529 - unknown user or password. The domain listed on this event is the local server name, not the domain name of AD.

This is definitely a fun one.

Ciao,

Enzo

Two questions then:

- is the FMS machine a member of the domain (member server) or is it a standalone server. And it is not the domain controller right?

- double-check your FMS configuration: do not toggle "use filemaker and local accounts" but "use filemaker and domain accounts"

Thanks for your reply. The Filemaker server is a member of the domain, but not a domain controller. It is setup to use domain accounts (not local).

Thanks,

Enzo

Then I'm at a loss what could be causing this. I've set up many FMS to authenticate externally and never had a problem. Since FMS hands of the authentication request to the OS, I suspect an OS misconfiguration.

Can you log in to the FMS box with one of the domain user accounts?

This is definitely a difficult problem. I can log into the fm serverfine with a domain user account. The FM Pro client will display all the databases when I click on remote. The security logs show that it correctly identifies the user in AD. Then, it rejects the logon to the database, and logs 529 errors.

When you setup an account in the client for external authenication, do you have to specify the domain in a special way. Example: dbgroup or mydomaindbgroup ?

Thanks,

Enzo

No you don't have to specify the domain at all. The toggle in FMS (local accounts or domain accounts) takes care of that.

Can you give us this information:

- name of the domain account you try to log in with

- names of the domain groups that account belongs to

- names of the accounts set up in the FM file

Since you have an all Windows network: are the users already logged into the domain (through their workstation) when they want to open the files? If so, they shouldn't get prompted for a username/pw to access the fm files at all.

You might try installing the latest update for FM Server. Here is the link to it: http://fmdl.filemaker.com/UPDT/fms/Win/7/fms_70v2_win_updater.zip

After installing this, I was finally able to get external authentication to work on our system.

HTH,

John

FMSv2 introduces some major changes to the EA model. All for the better.

I just install the v2 patch to my FMS 7 server. External authentication against the Domain Controller is now working.

http://fmdl.filemaker.com/UPDT/fms/Win/7/fms_70v2_win_updater.zip fixed the problem!

Remind me never to be an early adopter again! :grin:

Did anyone notice that after installing the 7.02 Server, that the external authentication options are gone in the Security tab? I used to be able to select either "Use local user accounts" or "Use domain user accounts" but now I can't. So which one is Filemaker using now and how do I choose between them? The most ridiculous thing is that all the documentation and the help file still talk about choosing between those two options, but they don't exist now! Anyone know anything about this?

Try installing the v2 udpate patch for server. This has solved the issues with many of my customers.

My guess is that it is now using a similiar decision tree to the OSX version. Tries to authenticate to the local server first, and then extends the search out to the domain. I haven't tried this yet, but I'll let you know my result when I do.

I still see those options after upgrading

Hi Grant,

You shouldn't see the "local" or "domain" options after upgrading. If you're using the SAT tool remotely, make sure your SAT tool is upgraded to v2 too.

FMS7v2 now adopts this policy: if the FMS machine is a member of the domain it will try to authenticate the users on the domain. If it is a standalone machine it will look at the local accounts.

You can force a domain server to look locally by entering the credentials in the UNC format (machineNameuser) but apparantly due to a bug in v2 this does not work.

Maybe it is because I am using the dev version of Filemaker Server. I can see how it might be useful to maintain both options when testing.

BTW, what is the SAT tool?

The dev version shouldn't make a difference. It is the same as the regular version but it just limits the number of connections to it.

John

After the update to v2 the FileMaker services fail to start and cannot be started manually.

Sheesh