External Authentication

Enzo · October 13, 2004

I'm having trouble getting external authentication to work on FilemakerPro Server 7. I am attempting to use Windows domain authentication.

* I have the user setup in the database for external authentication.

* The user is setup to log in as a service on the fmpro server and domain controllers.

When I attempt to log in, the user doesn't authenticate, and keeps getting reprompted for username/password.

Any ideas would be very helpful.

Thanks,

Enzo

Wim Decorte · October 18, 2004

Check this:

- the user belongs to a domain group

- does the FM account set up to authenticate externally match the name of the group the user belongs to?

- is that account enabled in the FM file?

- is the privilege set associated with that account set to allow log in to the file?

- is the FMS7 box a member server of the domain?

Enzo · October 18, 2004

I've verified that I'm meeting all the Filemaker requirements for external authentication. From the NT security logs, I can even see the filemaker users successfully authenticating in active directory. Filemaker Pro just keep reprompting for a logon.

I called Filemaker about the problem, and they said it's probably a permissions issue, but it would be the end of the week before they could help! I guess their support isn't what it used to be.

If anyone else has had this problem and found a solution, any help would be appreciated.

- Enzo

Wim Decorte · October 19, 2004

Are you really running NT? Or Windows 2000 or Server 2003?

I'm not sure the AD on NT is the same as 2000/2003 and those are the minimum requirements.

Also if you are running 2000/2003: check the resultant set of policies since you've added the users to the 'log on as a service' on both the local machine and the domain. One might be conflicting with the other. For a pure Windows AD network, the 'log on as a service' is not even necessary.

Is the FMS machine part of the domain?

Enzo · October 19, 2004

Thanks for your reply. I'm using Windows 2000 SP4 on all of the servers and clients. The "log on as a service" right is not a problem. Windows 2000 logs an error to the security log when a user doesn't have this right. This error is not appearing.

What seems to be happening, is that the FM Server is trying to authenticate the user locally, and the server logs the security event, 529 - unknown user or password. The domain listed on this event is the local server name, not the domain name of AD.

This is definitely a fun one.

Ciao,

Enzo

Wim Decorte · October 20, 2004

Two questions then:

- is the FMS machine a member of the domain (member server) or is it a standalone server. And it is not the domain controller right?

- double-check your FMS configuration: do not toggle "use filemaker and local accounts" but "use filemaker and domain accounts"

Enzo · October 20, 2004

Thanks for your reply. The Filemaker server is a member of the domain, but not a domain controller. It is setup to use domain accounts (not local).

Thanks,

Enzo

Wim Decorte · October 21, 2004

Then I'm at a loss what could be causing this. I've set up many FMS to authenticate externally and never had a problem. Since FMS hands of the authentication request to the OS, I suspect an OS misconfiguration.

Can you log in to the FMS box with one of the domain user accounts?

Enzo · October 21, 2004

This is definitely a difficult problem. I can log into the fm serverfine with a domain user account. The FM Pro client will display all the databases when I click on remote. The security logs show that it correctly identifies the user in AD. Then, it rejects the logon to the database, and logs 529 errors.

When you setup an account in the client for external authenication, do you have to specify the domain in a special way. Example: dbgroup or mydomaindbgroup ?

Thanks,

Enzo

Wim Decorte · October 22, 2004

No you don't have to specify the domain at all. The toggle in FMS (local accounts or domain accounts) takes care of that.

Can you give us this information:

- name of the domain account you try to log in with

- names of the domain groups that account belongs to

- names of the accounts set up in the FM file

Since you have an all Windows network: are the users already logged into the domain (through their workstation) when they want to open the files? If so, they shouldn't get prompted for a username/pw to access the fm files at all.

laker_42 · October 26, 2004

You might try installing the latest update for FM Server. Here is the link to it: http://fmdl.filemaker.com/UPDT/fms/Win/7/fms_70v2_win_updater.zip

After installing this, I was finally able to get external authentication to work on our system.

HTH,

John

Wim Decorte · October 27, 2004

FMSv2 introduces some major changes to the EA model. All for the better.

Walter B · October 27, 2004

I just install the v2 patch to my FMS 7 server. External authentication against the Domain Controller is now working.

Enzo · October 27, 2004

http://fmdl.filemaker.com/UPDT/fms/Win/7/fms_70v2_win_updater.zip fixed the problem!

Remind me never to be an early adopter again! :grin:

sdeyell · October 27, 2004

Did anyone notice that after installing the 7.02 Server, that the external authentication options are gone in the Security tab? I used to be able to select either "Use local user accounts" or "Use domain user accounts" but now I can't. So which one is Filemaker using now and how do I choose between them? The most ridiculous thing is that all the documentation and the help file still talk about choosing between those two options, but they don't exist now! Anyone know anything about this?

Hurican · November 5, 2004

Try installing the v2 udpate patch for server. This has solved the issues with many of my customers.

Walter B · November 8, 2004

My guess is that it is now using a similiar decision tree to the OSX version. Tries to authenticate to the local server first, and then extends the search out to the domain. I haven't tried this yet, but I'll let you know my result when I do.

VFXdbGuy · November 17, 2004

I still see those options after upgrading

Wim Decorte · November 21, 2004

Hi Grant,

You shouldn't see the "local" or "domain" options after upgrading. If you're using the SAT tool remotely, make sure your SAT tool is upgraded to v2 too.

FMS7v2 now adopts this policy: if the FMS machine is a member of the domain it will try to authenticate the users on the domain. If it is a standalone machine it will look at the local accounts.

You can force a domain server to look locally by entering the credentials in the UNC format (machineNameuser) but apparantly due to a bug in v2 this does not work.

VFXdbGuy · November 22, 2004

Maybe it is because I am using the dev version of Filemaker Server. I can see how it might be useful to maintain both options when testing.

BTW, what is the SAT tool?

laker_42 · November 23, 2004

The dev version shouldn't make a difference. It is the same as the regular version but it just limits the number of connections to it.

John

VFXdbGuy · November 23, 2004

After the update to v2 the FileMaker services fail to start and cannot be started manually.

Sheesh

Sign In

External Authentication

Recommended Posts

Enzo

Wim Decorte

Enzo

Wim Decorte

Enzo

Wim Decorte

Enzo

Wim Decorte

Enzo

Wim Decorte

laker_42

Wim Decorte

Walter B

Enzo

sdeyell

Hurican

Walter B

VFXdbGuy

Wim Decorte

VFXdbGuy

laker_42

VFXdbGuy

Create an account or sign in to comment

Create an account

Sign in

Browse

Site Support

Forums

Blogs

Marketplace

Activity

Important Information