Roll Your Own authentication?

[LaRetta]

I'm learning networking as quickly as possible. I've been asking a lot of questions and I appreciate your patience with me.

Before we purchased Server 7 Advanced, we were networked LAN (I think) or maybe peer-to-peer. On each workstation when system reboots, it requests Windows UserName and Password. So when I set up privilege sets in FM, I duplicated the identical UserName and Password. In this way, our opener would open the host file and FM would pre-fill same UserName. User then just typed their same password to access FM. It was simple for them.

We are now properly served and I've been wondering how to fix this problem. It seemed low on my priority list until today ... I can't even access layouts from my computer - not even as Admin!! This is very very bad. Originally, Owner wanted Windows systems to be password protected. But as I told him today ... our systems stay ON so it's moot whether we have Windows passwords or not!! Or is it? If I need to make changes to Windows passwords on each system; if I need to change our Privilege sets; or if I need to configure our new server differently, now is the time. I MUST have design access from my computer - I have [full access] but it still won't let me go to layout mode!

Reading the (thin) server manual, it explained where to go and what to do - allow remote access fmsadmin group. But it DOESN'T tell me what to put in there! Do I just type my Windows password? I'm afraid to make a mistake here because I'm afraid it then won't let me in to even close our files!! Since we don't really depend upon Windows logon, should I remove that from each computer? Would that make adminstration of our network simpler? Owner agreed we don't need Windows login but neither of us knows if we really do or don't.

Things seem so confusing when new. Please help me get into design! I need to wrap myself around this concept - and as quickly as possible!

LaRetta

Windows 2003 Standard Edition, FMS 7.03

[Wim Decorte]

If you want to integrate the Windows accounts in the FM solution, then we're talking about EA.

The External Authentication tech brief does a good job of explaining the two basic scenarios for EA: accounts on the FMS box or accounts in the Active Directory. Lots of screenshots on how to set it up too. (Steven posted a link to the tech brief on the main FMforums page).

First thing you'd need to find out is wheter an Active Directory is in use. The tech brief explains how to do that. Once you know that, post back and we'll take it from there.

[Wim Decorte]

Reading the (thin) server manual, it explained where to go and what to do - allow remote access fmsadmin group. But it DOESN'T tell me what to put in there! Do I just type my Windows password?

The setting here is for access to the Server Admin Tool (SAT), it won't do anything for admin access to your solution.

You probably still have a full access account & pw in your files, so hold down the shift key when you open a file and you will get prompted for a user name and pw. Instead of the Windows one, enter your filemaker one.

[Steven H. Blackwell]

Much of this is covered in the Tech Brief as Wim notes, in the mid 2004 FileMaker Pro Advisor article, and, dare I say, in FileMaker Security: The Book.

You can't just blindly charge into these things and expect them to work. That's why all these resources were prepared. LaRetta, this is not to pick on you; that applies to all of us.

Steven

[LaRetta]

I was supposed to design an FM program and I am doing just that. I did NOT know I also had to be a network admin and learn about routers and DHCP and permissions and Domain Controllers and such. If someone has been exposed to networking, these phrases make sense so reading the pdf's makes sense. But to someone that knows nothing about networking, even these resources can be confusing.

Truth is, I may just put us back to pre-server until I have the TIME to do it right ... I can't stretch any thinner that I am presently doing.

Thank you both very much for your help. :wink2:

Edited December 29, 2005 by Guest
Rephrased the whole post

[Wim Decorte]

I did NOT know I also had to be a network admin and learn about routers and DHCP and permissions and Domain Controllers and such. If someone has been exposed to networking, these phrases make sense so reading the pdf's makes sense. But to someone that knows nothing about networking, even these resources can be confusing.

Your desire to make this work marks you as an above-average developer. Most would just shrug, say "not my problem" and walk away. Or even worse, set something up that sorta kinda worked and not understand the consequences of what they're doing. At the end of the day the client would end up being mad at the developer and disgusted with FileMaker and by extension we would all look bad. At least you're asking for help and you're going to get it.

This networking stuff can look and sound scary, but it's not. Once you've gone through this learning curve, you'll see that you'll be able to not only deploy FM like it should, but also design your solutions better.

But do schedule some time to learn this stuff without putting you in a crunch.

[LaRetta]

Well, I read the entire pdf on external authentication TWICE while driving to work this morning. Aren't you glad you weren't on the road?

I was ready!! But, from the sound of it, we aren't externally authenticated at all. ipconfig /all (on FM server) shows:

Host Name: Filemaker 2003

Node type: Unknown

IP Routing Enabled: No

Wins Proxy Enabled: No

Ethernet Adapter

DHCP Enabled: No

Default Gateway: 192.168.0.1

DNS Servers: 216.174.194.53 and 216.174.193.54

The blue boxes: One is FVL328 Netgear Cable DSL highspeed VPN Firewall. The other is Netgear Auto Uplink Ethernet switch FS116 10/100 mbps. I couldn't find where our phones come into the building so I can't tell you anything about our modem.

Holding down the shift will not let me into design. Our opener file (on each desktop) does not ask for password but our Main file does. When it asks for account name and password, I've tried both of mine - my regular computer user name (same as my windows logon) and I've also tried Admin. Both have full access (in FM) and have let me into design pre-server and stand-alone. Neither password/account would let me into design - either when using shift or not.

I now know enough about external authentication to decide that I don't think we want it anyway.

BUT ... our network server Active Directory lists each employee as a User (part of a group?). My 'FM AccountName', which has [full access] in FM is listed in there! Of course, the Admin AccountName and password aren't listed in Active Directory because Admin isn't a computer user. But it shouldn't care because we're not externally authenticating anyway! Or are we? In SAT Security, I've tried both FM Accounts Only and FM & External. Neither works when applying the above shift and various password/account names. Secure Connections is unchecked. It kind of feels like we're half-stepped across a creek here ... using Active Directory but not External Authentication. I'm learning what we're NOT ... but not what we ARE. Ideas appreciated more than I can convey ...

LaRetta

[LaRetta]

I read the pdf again tonight. And, after studying our work situation today (and the screens), it actually makes a lot more sense! I kinda like EA now (I think)!!

Here is what I missed before: " As long as there is a Group assigned in FileMaker Pro that matches a domain or Local Group, authenticated external Accounts that are members of those Groups can access the FileMaker Pro files with privileges defined by the privilege set attached to the Group in FileMaker Pro."

That's it, I think!!! It happens in Edit Account in FM. I need to change my FM file Accounts to 'authenticate via external server' and specify the Group! Currently in Edit Account, I'm pointed to FileMaker and [full access] Oh. But it still should have worked because FM Server would have handled the authenticating. And I'm not sure if our network server is acting as Domain Controller just because it has a Group. Maybe it is a Local Group?

But it's starting to make a lot more sense!! And NO, I am NOT going back to pre-server - I can do this puppy!! Maybe I'll need some help yet but I'm less intimidated by it. I don't want to CHANGE anything while it's being served (that still scares me) but at least I'm beginning to see the bigger picture! And by using EA, maybe we can eliminate the 50 folders from all the computers that are currently being shared ... maybe. That is a constant PITB.

THANK YOU FOR THE PDF!! Guess what I'll be working on over the New Year's holiday while the network isn't being used. Now I'm even excited about it!!!

LaRetta

[Steven H. Blackwell]

It is not reasonable for your owners to expect you to be a network admin as well as a database programmer unless they have trained you to be a network admin.

You might want to look in your local area for a competent IT company to come in and set up your network and servers according to correct specifications.

Steven

[Wim Decorte]

The 192.169.0.1 machine is the Netgear Router (the FVS328). That one can act as a DHCP server, so download the manual if you don't have it:

http://www.netgear.com/products/details/FVS328.php

Don't worry about its the VPN settings, that's another haystack to roll into.

The DNS addresses are those provided by the ISP, that's good. No need to change those unless you have an internal DNS Server.

The other netgear is nothing but a switch (directing traffic inside the network) as opposed to the netgear router (directing traffic both inside the network and with the outside network / internet).

I would suggest getting familiar with how the router is configured in case it does act as the DHCP server.

Like I mentioned in the other thread, this has nothing to do with External authentication though, but it's something you should look into for the network stuff.

[mf]

I have read this thread with interest as I've just installed FMSA and I am planning to use External Authentication (with Active Directory).

It is now working for me and here are 2 things I have to share:

- "fmsadmin" has to be the name you use, I would have liked to call it something else so it made sense for the whole organisation (we have a different naming convention). Besides I have not found a way in FM Admin tool to pick a different name.

- Consider the synchronization time, our network has multiple domain controllers, so if you create a group and change its membership or create a new user, it might take time before it is recognised by FM Server (for us it can take up to 30 minutes).

This might be obvious to some of you but it was not for me when I had my nose up too close... (I was wondering if fmsadmin had to be local or global, it does not look like it makes any difference, so I picked global).