Jump to content
Sign in to follow this  
Cortical

external server authentication and SMB licenses

Recommended Posts

Hi All,

I have an issue with a client setting up a IWP solution, and ESA configuration.

They have a windows box running small business server 2003, being used as a domain controller.

A second windows box runs FMS (currently FMS9A, FMS10A waiting in the wings)

The plan was to use external server authentication configured on the SMB, to control access to the FMS database, but they have encountered a licensing issue, in that the SMB seems to have a limit on the number of accounts they can use for the FM group.

A single group is configured on the SBS domain controller, and this group is used as the FM privilege set credential the access to the database.

They report that the maximum user accounts allowed is 75 (note this is maximum accounts, not concurrent users). For more than this it would require additional licenses at $150 per 5 user account licenses. They currently have a thousand or so accounts they would potentially need to create.

Is creating one user account for all users on the SMB the only option?

Would using a separate Mac OSX box as a web server/domain controller be plausible alternative?

I have not seen any reference to this issue previously.

Share this post


Link to post
Share on other sites

Using SBS as the OS for a domain controller is probably a poor idea to start with. Why don't they just upgrade the box to Windows Server 2003 or Windows Server 2008?

I'd recommend against using a Macintosh OS server here. It's just one more moving part to address. Plus the SSO may not work correctly.

I'd also recommend a review of the Tech Brief on External Server Authentication.

Steven

Share this post


Link to post
Share on other sites

Hi Steven,

thanks for the reply

a correction: the domain controller OS is XP, SBS is running under virtual on this. Why? I have no idea; the joys of windows is not my domain I freely admit.

The tech brief has been reviewed numerous times, and was used to walk through the install. It does not stipulate server 2003 etc as mandatory, it merely uses win srv2003 as the example domain controller does it not?

While it may be advisable for them to upgrade to srv2003, would this circumvent the licensing issue?

Q: If using win srv2003 as a domain controller, can unlimited accounts be created under a group in Open DIrectory without incurring licensing issues?

The additional licensing under SMB is $150 per license in packs of 5 (not $150/5 as initial email)

thanks for the rep

Share this post


Link to post
Share on other sites

I've read through the setup a couple of times now and I think you need to tell them quite clearly that the setup is totally nuts. They simply cannot expect this to work reliably with any sort of decent uptime.

Running SBS or even regular W2K3 virtually on an XP host?

Nothing against virtualization (we use it all the time) but it comes at a cost (extremely good quality hardware, lots of monitoring, lots of redudancy). The setup you desribe reeks of "cheap". Cheap does not pay in the long run with something like this.

Another limitation they will get hit with pretty quickly: When you use SBS as the domain controller it will not allow any other server in its domain. That's an inherent limitation of SBS and it's why it's so inexpensive. It is meant for very small 1-server only deployments with very light loads where one server can safely perform all the SBS tasks.

There are 1000 users so we're not talking about light loads here.

As to the licensing: talk to a Microsoft sales rep to work out a good deal.

Share this post


Link to post
Share on other sites

to drive my point home about SBS being a 1-server deployment: when you install FMS on a different machine you will not be able to join that machine to the SBS machine and thus External Authentication will not work against domain accounts.

Share this post


Link to post
Share on other sites

What Wim said. I think maybe you ned to start over with this deployment. What we described in the Tech Brief, we know that it will work.

Steven

Share this post


Link to post
Share on other sites

ok, thanks to you both.

I do take your point Wim re virtual on xp. Seemed to be stretching optimism to be, but they have it working as their LAN domain controller etc. Win server and its demon (? daemon) ilk are not my environment.

As for the fms/sbs domain accounts, it actually does seem to be working in testing, and WAN accessible. But as you suggest, in real world that is likely another matter.

The config need to be stable, robust and secure.

regards

Chris

Share this post


Link to post
Share on other sites

Yes, it sounds like appropriate building blocks are not in situ.

Perhaps the next revision of the documentation could emphasise hardware/software requirements ?

If the domain controller is removed from the equation, and scenario 1 (tech brief) is implemented (rather than scenario 2) what controls the http address that the WAN user accesses?

regards

Chris

Share this post


Link to post
Share on other sites

The presence or absence of the Domain Controller has nothing to do with the IP address the user need to make a WAN connection.

There are several ways to do this, but the most common one is to have a public IP address, e.g. 0.0.0.0 the WAN user enters. Then Port 5003 packets for that IP address are forwarded by the firewall to the internal NAT address of the FileMaker Server machine, e.g. 192.0.0.55.

Perhaps the next revision of the documentation could emphasise hardware/software requirements ?

Interesting idea. At present there are no plans for a revision in the Tech Brief. That could always change.

HTH

Steven

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×

Important Information

By using this site, you agree to our Terms of Use.