Jump to content
Claris Engage 2025 - March 25-26 Austin Texas ×

This topic is 3937 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Posted

We're going to port our databases from FMS 11 on Windows Server 2003 to FMS 13 on Windows Server 2008 R2. The databases currently authenticate to the server's local users and groups and we're going to keep that when we go to FMS 13. However we'd also like to add external authentication via Active Directory.

 

Can FMS 13 be configured to look to the Windows server's local users and groups first for authentication, then fall to Active Directory if the user isn't in the local directory?

 

Thanks.

  • Newbies
Posted

Hello Colin,

I am looking for answers concerning AD and maybe my experiences will be of help to you.

 

I have a AD environment (Win Server 2008 as PDC)  and a FMS 13 running on a Mac (Mavericks Server).  The Mac is bound to the AD and operates as an OD server connected to the AD.  Using the Users/Groups section of the Server app, I can see all of the AD users and can access shares on the Mac using the AD logins.

 

FMS is set for external authentication and the solutions have the proper security settings for the AD group and another for the local (Mac Server) group.  Users are able to login using accounts on the local Mac but not with accounts on the AD.

 

I would think that if you have your external authentications setup so that AD credentials are valid for FM then local users will work.

 

If anyone is able to add suggestions for me to try, that would be appreciated.

 

Deanne

Posted

The OS of the FMS box largely dictates how it works and things have changed a little bit over time.

 

But in general (IIRC) FMS will always look at the local accounts and groups first before querying the AD as long as the workstation is not part of the domain.  If your workstations are windows, part of the domain and users log into Windows using AD credentials and they are part of an AD group that exists as a FM external account then you are out of luck: they will get in with the priv set attached to the AD group.  The Single Sign On feature will take precedence in this scenario.

 

Have to ask though: why complicate things like this?  If you have an AD, why not create the accounts and groups there?

This topic is 3937 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.