FM Server 8 External Authentication

[Dali]

I have multiple databases setup with about 40 users on both Win/Mac platforms. The DBs are served from FM Server 8 of a dedicated Win2003 server. All DB's use external server authentication of the server's local domain and so far I've been creating user accounts manually and it has been working great. But as the number of clients increases managing users is becoming more and more tedious, especially when users request a password change! It would be great if I could somehow manage these accounts from FM client. I have a bunch of vb scripts to automate tasks, but I just can't get filemaker to run them in the context of the server, i.e. the scripts run on the client machine. Is there a way to run vb scripts on the host machine from fm client? I've looked at Shell plugin, but I'm not sure if it actually runs commands on the host machine...any help would be appreciated...thanks

[Wim Decorte]

This post would probably be better of in the "Windows Automation" forum but I'll leave it here for now.

The key is in your VBscripts. If you can get FM to execute them then you're good. But in your VBscript syntanx you need to specify that you want to target the AD on the domain controller. And you will need to included admin credentials in it, which may be a security risk if you don't handle it properly.

You mentioned "local domain" so I'm assuming you are working with accounts in Active Directory and not accounts on the filemaker server machine.

[Dali]

Thank you for your reply, sorry, didn't know there was a windows forum.

I am not running a domain controller, these are local accounts on the FM server machine. I am aware that I can remotely manage domains, but like you said that would be a major security hole, besides there are other things I would like to use the scripts for, not just to manage the accounts. I basically need the scripts to run on the server machine not on the client machine. Can that be done?

[Wim Decorte]

Sure. It's called "Remote Scripting" and is supported in Windows Script Host 5.6. If you're running XP and Server 2003 then that's the version you have. If not, you can download it from MS and install it where needed. Do a google on the subject and you'll find plenty of examples.

[Wim Decorte]

Or straight from the horse's mouth:

http://www.microsoft.com/technet/scriptcenter/topics/remote/rscripting.mspx

[Dali]

I was thinking about remote scripting, but then FM client would still run a local vb script off the client machine which would then connect to the server, I'm looking for something that would actually initiate the script off the server entirely. Besides we have crossplatform clients (Mac/Win).

[Wim Decorte]

Then I guess I don't fully understand what it is you're trying to do. You mentioned that you wanted to automate OS account tasks from a FM client...

[Dali]

I'm trying to so something that is very common in client-server applications. Let me give you a simple example. On the FM client, user has two buttons...one button lists files of the client's root directory while the 2nd button lists the files of the server's root directory. In first case the script has to run in the context of the client while in the 2nd case in the context of the server. I'm trying to do something similar...I want users to be able to change their password's which are stored on the server, but I can't use remote scripting because we have crossplatform clients and remote scripting is not supported on Mac's.

[Steven H. Blackwell]

I'll let Wim respond more fully inasmuch as he is the expert here on the particulars of the OS level scripting.

However, FileMaker prodicts are not designed to change directory services (either AD or OD) level credentials directly. That would be a huge security hole. OS level scripting triggered from within FileMaker Pro might be able to trigger either Active Directory or Open Directory to call for credentials changes. Such credentials lifecycle management changes are the province of the Directory Service and its security policy, not of FileMaker.

HTH

Steven

[Wim Decorte]

Sounds to me like you're not using External authentication to its fullest, and you're creating more work for yourself because of it (instead of less work, which is the goal of EA).

If users log into their workstation with the AD credentials then you can have all the pw change requests handled there and there wouldn't be a need to add scripting to the mix.

To cater for the xplat clients; you can create a web page to handle the pw change request. The web page would use LDAP or ADSI to talk to the domain controller. Be very careful with security in this whole setup.