Single Sign On....

[Singlequanta]

Oh CRAP!

steven I just read your post re Single Sign On and Mac OSX.

I have to say -- no where in any FileMaker documentation is this mentioned; only on here - that will teach me for not coming here first!

We've got a mixed environment as well. XP Professional users on an AD domain; connecting to FM on our terminal server. I've been trying to get single signon to work for a couple of days now; and of course my headaches surfaced when attempting to have the users access the databases hosted on our XServe.

In this day and age with active directory and LDAP integration; these sorts of things should be a lot more seemless.

Looks like we are going to have to migrate our DBs over to our 2003 server : Such a shame because the XServe performs so much faster....

If you ever figure out how to jiggle this to work, please let me know!

Steve

[Steven H. Blackwell]

What post are you referencing?

Take a look at the Server External Authentication Tech Brief that Wim Decorte and I wrote for FMI. These items are fully discussed therein.

SSO is a [color:red]Windows OS FMS and Windows OS client workstation enterprise only. Macintosh has no concept of SSO. Credentials can be stored in the KeyChain, but they must first be entered there at the initial log-on.

LDAP has nothing to do with this. The FileMaker Server LDAP registration is a "yellow pages directory" listing only, and has no bearing on authentication.

HTH.

Steven

[Singlequanta]

Im sorry Steven; my confusion and thanks for clarifying the position of LDAP.

What I was referring to was your post as follows:

Quote:

This is the expected behavior. Single Sign On, as distinguished from External Server Authentication, is supported only from Windows clients to Windows OS servers running FIleMaker Server. It is not supported at all on Macintosh, because there is no concept of SSO in the Macintosh world.

Switch FIleMaker Server to a server running Windows Server 2003 Standard Edition SP 2, and you can have SSO from Windows clients.

Steven

---- End Quote ----

So it would appear that; even though we have no macintosh clients at all; and that our only mac equipment is our XServe; that Single Sign On for PC users is not possible with respect to a database hosted on a Mac XServe bound to our domain.

Sigle Sign On -- in spirit -- is the process of passing authentication tokens between Operating Systems and SSO savy applications (Those applications which will receive a trusted authentication token)

Of course; my confusion stems from the fact that FileMaker as an Application; is SSO Savy.

My reference to LDAP was wholistic only; refering to the fact that FileMaker supports facilities to list itself within an LDAP Directory as you have indicated. What I should have said is:

That in this day and age; where applications are LDAP Savy; Support SSO; and are more and more seemlessly supported within mixed environments.. it is a odd that in once instance a FileMaker Client can accept and process SSO Tokens passed from AD to FileMaker Server on the Windows platform; but can not properly accept SSO Tokens when the same database is hosted on a Macintosh Server bound to an AD Domain.

In your tech brief; you state:

Single Sign On. Fourth, Server External Authentication supports Single Sign On for the

Windows platform and an analogous behavior on Macintosh OS X. This is a commonly employed

technique in IS/IT system and network management. The concept behind Single Sign On,

sometimes called universal authentication log–on or single–source log–on, is the belief that it

simplifi es user credential management activity by requiring the user to remember only one set of

credentials to access digital assets and network based assets. While this belief is almost certainly

a correct one, nevertheless it does transfer the security of the database to something outside

of FileMaker Pro. Developers may wish therefore to learn more about network security and

authentication generally.

Strictly speaking Single Sign On for FileMaker Pro 8 is a Windows OS client to Windows OS

server feature only. However, in Macintosh OS X the feature can be mimicked by storing the

credential information in the Keychain.

I am curious; when you say "Strictly Speaking // however in Macintosh OS X I am sure you are referring to the concept of a Mac Client "SSO Process" but that you are not referring to SSO Tokens passed via a MacXServe from an AD controller? Or do i misunderstand?

Im also a little confused because in another post you say:

QUOTE:

1. External Server Authentication is one thing; single sign on is another.

2. IWP clients can authenticate against the server; they cannot do SSO.

3. Windows FMP workstations clients can have true SSO; Macintosh OS X clients cannot. They must use the Keychain instead.

4. The server accounts can either be on the domain controller, or they can be local accounts on the FMS server box.

5. Cross platform FMP client authentication can be a bit tricky depending on the OS of the domain controller. it is probably easier to have the DC be Active Directory. The AD plugins that are part of OS X seem to change every time Apple revs the OS, so some tinkering is always required.

---- END QUOTE ----

Here you state that AD is preferable; but that the AD Plugins for OSX may need some tinkering...

I agree with you that it is considered best practise to employ single architecture and OS configurations when deploying more complex solutions; i just feel dissapointed that as you have said, with the Apple OS, "some tinkering is always required"

Perhaps the XServe is simply a poor technology choice for any organization where AD has been implemented.

Again; should you discover some method to permit Single Sign On between Windows XP Professional Clients and a FileMaker Database hosted on an XServe which is bound to the same AD controller as the requesting XP Professional Client; I am sure that I am not the only one out there who would benefit from such knowledge.

Cheers

Steve

[Steven H. Blackwell]

I understand. It's a complex web. And it has changed some since the original Tech Brief was written. We are in the process of discussing these issues with FMI.

At such time as there is anything new to report--hopefully soon--we will post an announcement.

Steven

[Singlequanta]

Steven;

For what its worth; I do not feel the problem is directly with FMI; as when running the daemon in debug mode on the XServe; it is clear that the very second an attempt is made to access a database from a windows XP client; that an authentication token is being parsed and passed through.

I will continue to diagnose this scenario and provide you with whatever learning I achieve.

Steve

[Steven H. Blackwell]

Please do keep me posted. It is not outside the realm of possibility here that something has changed and they didn't tell us. But we will get to the bottom of this.

In any regard, if the FMS machine is running OS X Server, you can be sure that every time there is an OS rev from Apple, that something will have to be tweaked. it's been that way since OS 10.1 and Server 7.0v1.

Steven

[anothersmurf]

"Macintosh has no concept of SSO. "

Actually that's not true. Open Directory in Leopard uses Kerberos to enable SSO for clients which are bound to the directory server. It works quite nicely, and it's a shame that FMP doesn't support it.

[Steven H. Blackwell]

FileMaker Server uses Kerberos on OS X just as it does in Windows where it can do so. The Ticket Granting Ticket interacts with FileMaker Server. However, on OS X it still queries the KeyChain for the FIleMaker Pro credentials.

He who lives by the FileMaker Crystal Ball soon learns to eat ground Case functions. I do not expect any changes in the FMS authentication process, at least in the near to immediate future.

Steven

[anothersmurf]

I can't seem to get my ticket granting tickets to interact with FMP Server at all; my clients always have to enter their username/password, and Kerberos doesn't show any tickets issued to FileMaker... Maybe there's a port I need to open on my server's firewall?

Can you direct me to any documentation about how this works? All I've been able to find are an outdated (FMP8) "Technology Brief" and about 2 pages in FileMaker Pro 9 The Missing Manual, and there's no mention of kerberos in either of those...

Thanks

[Steven H. Blackwell]

Take a look at the External Server Authentication Tech Brief from the FMI Web Site.

Again, on Macintosh there is no SSO. Credentials can be stored in the KeyChain and FMS can query that.

Steven