FMServer 8 hosted on Win2003 with some clients Win2K and WinXP, some OS X. Still under development. The windows clients are members of an Active Dir. domain, as is the server, which is set to external authentication & SSL. This logs the windows clients in automatically. User jimbob in AD appears as jimbob in Get(AccountName). Mac OS X clients have to authenticate twice, once to the server and once to the first file. But if you come in through mac os x, you have to use DOMAINNAMEjimbob for it to recognize you, so Get(AccountName)="DOMAINNAMEjimbob".

So far so good. But the system tracks usage (modified, created, etc.) by account name. If your username is jimbob and you come in through windows, you appear as jimbob, but via Mac and then all the modifed (etc.) fields show you as DOMAINNAMEjimbob.

Most users are not switching platforms, but they certainly could, and I need to be able to count on the username matching exactly for certain scripts. I could kludge around it by giving users two possible account names in the user management portion of the system, but that's bad in principle and bad for future maintenance.

Has anyone else seen this behavior? Should I try some different settings for the external server authentication? The server and windows client machines are members of SUBDOMAIN.DOMAINNAME, but the users are members of just DOMAINNAME. I don't think I have the option of joining the server to just DOMAINNAME. This may explain why the mac clients need DOMAINNAME specified ahead of the username.

Thanks ahead of time for any tips.

This is a known issue with the OSX Directory Access AD feature. First time we saw this was in 10.3 and I haven't retested on the the recent 10.4 updates to see if it's still there.

You can solve this by stripping out the domain name from the get(accountname) function. Then you don't have to worry about changes to OSX that fixes this bug or not.

You're right. It's best to program around this issue. I found that this also can happen on Windows. For example, a laptop that has network access but didn't authenticate properly to the domain for whatever reason. In this case FMS asks for credentials directly from the user, and needs the DOMAIN prefix on the username.

yep, or the user may simply manually provide either their UNC (domainuser) or UPN (user@domain) credentials and that's what you'll get in the account name.

This is a vexing issue, and we have been discussing it with the proper parties.

Steven