Admin Console - SSO Possible?

[Ted S]

Hello all,

I installed FMS9 on Windows 2003 Server a few weeks ago. All is well except that I cannot open the Admin Console without providing a username and password. With Server 7 as long as I was a member of the FMSAdmin group I could open the console directly as it used Windows authentication. With FMS9 this is no longer the case.

I have created an FMSAdmin group and made myself a member and I have enabled "Allow members of the fmsadmin group to login" but I still have to supply a username and password to use the Admin Console. Maybe this is how it is supposed to be. Anybody know for sure?

Thanks!

[Steven H. Blackwell]

have created an FMSAdmin group and made myself a member and I have enabled "Allow members of the fmsadmin group to login"

Where is that Group physically located? On the domain controller or on the FileMaker Server as a local group?

Steven

[Ted S]

I originally created a domain group but just moments ago realized that this *may* have to be a local group so I created a local group and made myself a member. Still no luck but I did not restart the FM services because I have users in the system right now.

[Ted S]

Well, I restarted the server tonight and still no joy. My question still remains, does anyone know if Single Sign On (SSO) is even possible?

[Steven H. Blackwell]

It is, provided that the group is properly named and confiured on the local server. BTW, this [color:red]must be a completely Windows OS configuration. And be sure that the server clock and the domain controller clock are completely synchronized. Failure to do so can throw off authentication.

Steven

[Ted S]

Steven,

I'm in a 100% Windows shop. I checked the clocks on the domain server and the FM server and they appear to be in-sync. There is a service running on the FM server called "Windows Time" which looks like that is its mission.

I read the Server External Authentication Tech Brief from cover-to-cover skipping the Mac sections and I still can't get SSO to work.

I have tried fmsadmin as both local and domain groups with no luck. One question; I have a Windows account in my name and I am a member of the Domain Admins group. The Domain Admins group is a member of the fmsadmin group. Filemaker Server is running under the local system account. Do I need to create some sort of user account for the server service to run under?

[Steven H. Blackwell]

The Domain Admins group is a member of the fmsadmin group.

Try putting your Account directly into the local fmsadmin group as well.

Steven

[Ted S]

Steven,

I tried that before as well, as again just now, but still no luck.

One other thing I should mention is that the server and all of the client PCs were on a different AD domain a few weeks ago. Due to a business acquisition the FM server and all client PCs recently moved to a new domain. I should also add that SSO for the Admin Console (v9) didn't work on the old domain either.

The good news about this whole situation is that SSO works really well for FM users and I couldn't be happier but it would be nice if the Admin Console worked too.

[Steven H. Blackwell]

I am continuing to investigate this issue and to review it with FMI.

Steven

[serzone]

BTW, i have the exact same problem. the single sign on is not working for filemaker server 9 admin console reagrdless from where i'm connecting to it (whether i'm on the actual server or remotely). the only way to access it is with the local account.

We use filemaker server 7 and 8 on other servers and the sign-on works with no problems. We have the same config for 9 and it doesn't work.

[Steven H. Blackwell]

It's entirely possible, as I believe I said initially, that it's broken.

The group apparently must be set up on the local Server, not at the domain level. But I am still working to get final confirmation on that.

Steven

[Ted S]

Thanks for your help Steven. The good thing is that this just kind of an icing-on-the-cake issue so if it doesn't get resolved anytime soon it's not a big deal.

[serzone]

well... it is a bit of a big deal to me because we're supporting about 10 FileMaker servers here and there are several admins that need to be able to connect and I'm not very happy with having to use a local password instead of authentication happening automatically as it was in fms7 or 8. I thought fms 9 was supposed to be better and improve things not break existing functionality.

What's the point in upgrading and/or continuing licensing then?

Edited April 7, 2008 by Guest

[Steven H. Blackwell]

There is nothing new that I have to report on this from my March 20th message. I have relayed this toFMI and I am continuing to check on it.

Steven

[benhanson]

I have the same issue, though I've discovered the following: If I create a local group 'fmsadmin' and create local users and add them to that group, it works fine. Domain users added to that group do not work.

My suspicion is that this is a SPN record issue. For kerberos to work, if a server is trying to do passthrough authentication, an SPN record for the service is usually required.

[Steven H. Blackwell]

That is a possible explanation. As noted in the Console, the fmsadmin group must be on the master server.

We are continuing to work on this issue. FMI is aware of this.

Steven

[Wim Decorte]

Working with Steven on this. It doesn't look like SSO is possible for the Admin Console but we haven't heard that officially yet from FMI.

The fmsadmin group can safely be on the domain controller, it does not have to be on the FMS machine itself. Provided of course that the FMS machine is a member server of that domain.