External server authentication not working

[El_Pablo]

Hi,

I'm trying to connect to a test fm database using external authentication, but without success.

Here's the configuration :

- FMS 8.0 on a Windows Server 2003 on which we connect as an external remote server.

- Active Directory on a second Windows Server 2003.

- Client connecting to the FMS using an address such as this one fmserver.ourcompany.com

- Some clients are local to the same domain as the fm server, others are outsite the domain (working at home).

I created a group a fmusers group in the AD and a test user (extUser) that belongs to the group.

I'm trying to connect using all the methods that I know, but always unsuccessful.

EG:

extUser hisPassword

domainnameextUser hisPassword

domainname/extUser hisPassword

[email protected] hisPassword

I read the whole FM tech brief server authentication.

Can someone tell me what I'm doing wrong?

[Vaughan]

Are you connecting through the FMP client or through a web browser?

"Im trying to connect using all the methods that I know, but always unsuccessful. EG: extUser hisPassword..."

I have no idea what you're doing.

What happens if you open the file using FMP's Open Remote command? At the prompt enter the extUser username and password.

[Genx]

Did you actually add the group name as an account into FileMaker?

[El_Pablo]

I'm always connecting through FMP client. Using a web address that points to our server and not an internal ip.

Genx:

Yes, I did add the group name in the FM file. Using the same case. eg: fmUsers in the Active Directory and in the FM file.

[Steven H. Blackwell]

Is the server properly bound to the domain?

Steven

[El_Pablo]

Yes, the win server is member of the domain. Can the firewell have something to do with that?

[Wim Decorte]

do you have a firewall between your FMS machine and the AD?

What do the event logs say (both application and security logs on the FMS machine, security log on the AD machine)

Can you log into the FMS machine with your test account? Physically logging into the OS?

[El_Pablo]

There is no firewall between the two servers.

They are on the same network and domain.

My dev computer is on the same network and domain.

I connect to the FMS using an external address.

I get no errors or warning in FMS logs.

I get no errors or warning concerning FMS in the AD log.

I can log using fm integrated accounts in the file.

Physically logging into the OS? Yes, I do have access to everything physically and remotely.

Question

Do I need to register FMS with a directory service?

[El_Pablo]

Other question

If I use an external server, can I logon using a different AD username than the one I'm logged on my computer?

[El_Pablo]

We have another server on an external VPS which is not connected to a domain. (Scenario 1 in the FM tech brief)

It worked at first attempt.

Might be something to do with the communication between my FMS and the AD. BTW, both of them are on different servers.

[mr_vodka]

Hold down Shift when opening the file to enter in another account and password.

[Wim Decorte]

yes you can. If FM doesn't show you the login dialog then hold down the shift key as you open the file and you'll get it.

[Wim Decorte]

There is no firewall between the two servers.

They are on the same network and domain.

My dev computer is on the same network and domain.

I connect to the FMS using an external address.

Why? Why not simply the internal IP address if you're on the same domain and physcial network. By using an external IP address you're introducing network delays that are not necessary.

I get no errors or warning in FMS logs.

I get no errors or warning concerning FMS in the AD log.

Look for regular security audit messages in the AD log. The AD doesn't know about FMS but it will now if someone tries to authenticate and give you some feedback as to why it failed.

Physically logging into the OS? Yes, I do have access to everything physically and remotely.

Did you try it? Did it work?

Question

Do I need to register FMS with a directory service?

NO! As per the tech brief, registering FMS with a directory service has NOTHING to do with authentication at all.

[Wim Decorte]

We have another server on an external VPS which is not connected to a domain. (Scenario 1 in the FM tech brief)

It worked at first attempt.

Might be something to do with the communication between my FMS and the AD. BTW, both of them are on different servers.

They should be on different servers. From what little I know about your setup it looks like the network communication between the FMS and the AD is too slow. I've seen it happen before where the AD was hundreds of miles away on relatively slow lines.

[El_Pablo]

Why? Why not simply the internal IP address if you're on the same domain and physcial network. By using an external IP address you're introducing network delays that are not necessary.

Because, some employees work from there home. It is easier to manage 1 IP for each file than 2+ IPs per file.

Also, there was a licensing problem when I was using two different IPs. When employees connected to the database, for unknown reason some files used the internal IP and other the external. The server was then seeing two different IPs for the same serial number...

Look for regular security audit messages in the AD log. The AD doesn't know about FMS but it will now if someone tries to authenticate and give you some feedback as to why it failed.

I've checked the security log on the AD and there was no message saying that something failed to log.

They should be on different servers. From what little I know about your setup it looks like the network communication between the FMS and the AD is too slow. I've seen it happen before where the AD was hundreds of miles away on relatively slow lines.

I don't the communication is to slow, since the backup manager is on the same server as the AD.

[Wim Decorte]

Because, some employees work from there home.

Seems like you're punishing everyone for the "sins" of a few. Why not let the remote users connect through a VPN which would be both more secure and will let you maintain just the internal IP address in your solution.

I don't the communication is to slow, since the backup manager is on the same server as the AD.

Different beasts so it's not a good comparison. FMS to FMP is very communication intensive much more so than any backup application.

The fact that you tested it with local accounts on the FMS machine proves that point. It's the communication between the FMS machine and the AD that is somehow preventing the authentication from happening. Either the request from FMS does not reach the AD in time, or the response from the AD does not reach FMS in time. Do you spot requests in the AD logs for the FM users?