Citrix & External Authentication

[mr_vodka]

Hi guys,

Have any of you tried External Authentication in Conjunction with Citrix?

Is is necessary since users are Authenticated via the Citrix server anyway?

I have been trying to construct an arguement with my coworkers about moving to External Authentication but they do not want to do it.

[tgilders]

We use External Authentication with Citrix and it works beautifully.

No sure exactly what you mean by "is it necessary".

If you don't use External Authentication, then you have to use internal FileMaker accounts, which means you'll then have to login to a database as well. (in addition to the Citrix login prompts).

Logging into Citrix basically gets you the equivalant to logging into a workstation locally. You still need to get into the FileMaker database, and by using the Ext. Auth, at least then you only need manage the users account once.

I think Ext. Auth is great. I can't imagine going back to mananging individual FileMaker accounts.

[Ted S]

I agree with tgliders. External authentication is the way to go if you're environment supports it. Your IT guy's lives will get easier if you implement because they will have fewer accounts to setup and manage.

The unnecessary thing in discussions involving Citrix is often Citrix itself.

Citrix runs on top of Microsoft Terminal Services. This means that you must have Terminal Services operational to run Citrix but very often Terminal Services by itself is all that many organizations need.

I believe that Citrix offers automated load balancing along with greater control over the user's experience but I'm running FM on a server that frequently has 30+ users and TS is all that we need. It works like a champ.

[mr_vodka]

Well I am not a big fan of Citrix but those are the cards that I have been dealt. -)

I am trying to convince the folks to go to Ext. Auth. but they dont want to do it. I am currently rewriting their old solution from 6 to 8.5 and the previous version's security was basically setup wrong.

So I am telling them about external authentication and they think that it is unnecessary because when the users log into Citrix, they are authenticated there.

Plus they do not want to add the bureacracy of the IT department because they always take forever to get things done etc.

[Ted S]

Who sets up the Filemaker accounts?

[mr_vodka]

We have control over the FM accounts because they dont want to deal with anything FM. lol. They dont understand it so they dont want it.

But they still need to create the users and groups. The groups or adding users to the group is where I think the problem will be. The IT dept here do drag their feet.

[Ted S]

It just occurred to me that they are on v6 right now. This means that they probably don't have individual Filemaker accounts. With Version 7 you will probably want individual accounts and somebody will have to set them up. If they user external authentication then all the IT guys will have to do is make sure that each user is a member of the proper Windows security group(s). They probably do this already for get the folder access right.

[Ted S]

John,

To quote a former US President, "I feel your pain."

If the IT guys aren't willing to do anything at all, then you're stuck with FileMaker authentication. It's too bad because it will make life easier for so many other people. Both you and your users. It is one less password to remember for everybody.

One thought; would the IT guys let you have access to the local users and groups on the Filemaker server? If so you may be able to administer them there yourself.

[mr_vodka]

Yes, you and I know the benefits of it. Its trying to convince my boss & the FM program admin that its a good idea.

They are having a hard time with everything that I am proposing for security enhancements. Currently there are "security roles" setup where they can individually on the fly change what the users can and can not access (fields & layouts) All of this is scripted by a basic, if permission is flagged then allow entry into field. Each field has a entry blocking button covering it. Its a mess.

Anyway, I of course want to embed the accounts & privs functionality of 8.5 into the new version and Ext. Authentication assigning those Privs but they fear that it will take too long via the IT Dept. So I need to build a case.

[mr_vodka]

One thought; would the IT guys let you have access to the local users and groups on the Filemaker server? If so you may be able to administer them there yourself.

We may be able to get permission to admin the server but then that defeats the purpose of Single Sign on, no? I can create the users and groups on that server but wont it conflict with the info from the Domain controller for the company? Wouldnt we have to keep track of two user names for each user?

Alas, networking is not my forte. I just know enough to do what I have to do.

[Ted S]

Yeah, you could be correct. I don't run it that way myself but what you're saying makes sense. Maybe Mr. Blackwell or Mr. Decorte can weigh-in here as they are the experts in this area.

My IT guys used to have the same general feelings about Filemaker largely because they didn't know much about it and it didn't say Microsoft on the box. Somewhere along the line they changed their minds and now really like it. I think it is mostly due to the system stability, simple deployment and very low daily IT attention requirements.

Probably their biggest complaint now is deploying new versions of the FM client throughout the organization. I personally have hopes that our friends at FMI will soon offer the ability to deploy patches in a manner that is similar to the way plug-ins can automatically be deployed by the FM server.

[mr_vodka]

Yes and that is why we use Citrix. So that we do not have to deploy software such as the client. With thousands of employees overall and hundred of users in FM,we have to use citrix until I can get them to web based solution.

Baby steps. Baby steps. lol.

[Wim Decorte]

tgliders first post was spot on: logging into Citrix is like logging into a workstation and does nothing for FM.

Maybe IT is thinking along the lines of making FM a "published app". Meaning users log into Citrix and don't get to see a desktop but go straight into FileMaker. Without EA, this would stop at the FM login prompt. With EA (and if the FMS machine is on Windows) you can make use of SSO to log the user directly into the FM with their domain account (that they used to log into citrix).

[Wim Decorte]

But they still need to create the users and groups. The groups or adding users to the group is where I think the problem will be. The IT dept here do drag their feet.

Not necessarily. The users will already exist (otherwise they wouldn't be able to log into Citrix or any other machine for that matter). The groups may exist already too if the users are divided into groups that correspond to the roles you have for them in your solution. And even if some new groups need to be created, it's literelly a 15 minute job at most. FM's EA fully supports groups in groups for instance so IT can create a new group (if needed) and drag existing groups into it. No need to drag all individual users into it.

[mr_vodka]

Hi Wim,

I know that it should take only a few minutes to setup groups. However, the process does not allow it to only be 15 minutes. For IT to makes any kind of changes, a service request has to be submitted, then signed off by two managers, then goes to an admin who assigns it to a IT manager, then the IT manager assigns it to an IT individual. Then it gets setup.

Roadblocks and unfortunately this process will not change.

[mr_vodka]

tgliders first post was spot on: logging into Citrix is like logging into a workstation and does nothing for FM.

Maybe IT is thinking along the lines of making FM a "published app". Meaning users log into Citrix and don't get to see a desktop but go straight into FileMaker. Without EA, this would stop at the FM login prompt. With EA (and if the FMS machine is on Windows) you can make use of SSO to log the user directly into the FM with their domain account (that they used to log into citrix).

Wim, currently the setup is like this. User logs into Citrix with their user account if they have rights and Citrix profile setup. Once logged into Citrix, a opener file is executed automatically adn opens the files on the FM server. Since its on FM6, there is only 2 groups. Admin and User. Then when the files open, they are prompted for user name and password via SCRIPTING. Keep in mind this is on FM6.

I am not the one that developed it this way. That is why I am rewriting the whole thing in FM8.5, but people want me to just do it like the old way it is curerntly being done rather than EA. Sigh.

That is why I asked if EA is really needed if their account is already authenticated when they log onto Citrix. Basically anybody not setup in the Citrix server wouldnt be able to get in.

[Wim Decorte]

Yes, but that part of the process is the same for any Directory change so it's not unique to asking for a change for FileMaker EA so it should not count. Just the actualy changing work should count...

[Wim Decorte]

That is why I asked if EA is really needed if their account is already authenticated when they log onto Citrix. Basically anybody not setup in the Citrix server wouldnt be able to get in.

Yep. Citrix is just the OS login (with some extra stuff). You could leave your solution open (no passwords) but then anyone with FMP access to the FMS machine will get the same effect.

[mr_vodka]

Hi Steven and Wim.

We are finally pushing out the new system but hit a big snag today. Here is the issue.

EA work fine as well as getting the account name from AD. This works all fine if we were all using a locally installed copy of Pro.

However, we are using Citrix and on the Citrix box we were going to use an opener file to open the files on the server. This is where the issue arises. Since the opener file is just that; and opener file, it is not being served so it can not authenticate anything. It has to have Admin right to open it and then "open remote" to the Served files. One way to fix this issue would be to have the users open up FileMaker in Citrix and then manually open remote, but that is not an option as the users only have their Citrix icon desktop that is given to them.

So the big question is... If we cant use an opener file, then what are our other options that will provide the EA support?? Could an simple executable script solve this issue?

[Steven H. Blackwell]

OK, this scenario with the opener file likely will not work. Additionally, what happen's if two users click on it at the same time?

Here is an (untested) alternative scenario. Host the opener file, the same as any other in the solution. On the Citrix "desktop" create an URL shortcut (not a FMP shortcut or a Windows OS shortcut). Have that URl shortcut call the "opener" file.

It is also possible to have the URL embedded in a separate web page. And the access to that web page can require authentication by Active Directory.

But try the first alternative. See if that helps address the issue.

Steven

[mr_vodka]

Hi Steven. I dont really need the opener file. It only existed to point it to the server itself. Each user has their own copy of the opener file.

so if your test works, I guess I wont even need the opener file. I will test and get back to you very shortly.

Thanks.

[mr_vodka]

Tested and confirmed. Thank you for your suggestion. It worked out very well. ;)

[Perren]

I'll second Steven's suggestion.

We are using Citrix and EA and I just have a URL shortcut pointing to the hosted DB.

Navigate to /Documents and Settings/All Users/Desktop/, create a new shortcut with the URL that looks like: fmp7://dbserver/dbfile and away you go! This will be pushed to all folks who login using a full blown Citrix remote desktop session.