Hi,

 

Beacuse I want to maintain users more easily I want to change several FM Server hosted files to External Authentication instead of FM Authentication.

 

I have tested it, and it works fine so far on when using a FM Pro Client, and the external Auhenticator is the Active Directory on a Windows Server.

 

But I can not make it Work on FM Go or when using Webdirect.

 

So my question is, is it possible to make it work on the following:

 

• Filemaker Go
• WebDirect
• PHP Web Publishing (for security I might want to create an separate account for this directly in FM)
• Filemaker Pro clients running on machines that are NOT domain (AD) members.

There doesnt seem to be a lot of settings in FM regarding External Authentication, so I might have to change something in the AD?

It is my impression that Filemaker will first look at the local machines domain membership, but if it is not a member, it will look at the FMS box' Windows accounts and/or domain membership?

 

Is that correct, or any ideas how to accomplish this?

 

Benjamin

Hi,

 

Beacuse I want to maintain users more easily I want to change several FM Server hosted files to External Authentication instead of FM Authentication.

 

I have tested it, and it works fine so far on when using a FM Pro Client, and the external Auhenticator is the Active Directory on a Windows Server.

 

But I can not make it Work on FM Go or when using Webdirect.

 

 

 

Can you define "not work" here?

When a WebD or Go user opens a file, they get the login dialog; enter AD credentials and that should just work.

 

So what does not work?  The credentials are not accepted?

 

• Filemaker Pro clients running on machines that are NOT domain (AD) members.

 

 

 

The client machine does NOT have to be a domain member.  Only the FMS machine has to be a domain member.

 

And yes, EA works in all the scenarios that you question.

 

There doesnt seem to be a lot of settings in FM regarding External Authentication, so I might have to change something in the AD?

 

No, nothing at all.

- The FM file needs to be set up with External accounts; which you have otherwise it would not work from the desktop

- FMS needs to be configured to allow FM and External accounts

- the FMS machine needs to be a member of the AD domain for EA to use AD accounts

 

 

It is my impression that Filemaker will first look at the local machines domain membership, but if it is not a member, it will look at the FMS box' Windows accounts and/or domain membership?

 

 

That is not correct.  FM does not look at the local machine at all except in the SSO edge-case:

SSO (single sign on) is where the user is not prompted for credentials at all.  That only works in this scenario:

- windows workstation, member of the domain

- user logged into the workstation with AD credentials

- FMS on Windows server, member server of the domain

- user opens a file from FMS and at least one of the AD groups that his windows logon account belongs to is set up as an External Account in the FM file

if all of the above are true then the user will not be prompted for credentials

In all other EA scenarios the user is prompted for credentials and you can matching AD accounts.

 

Perhaps this your confusion?  You expect SSO to work on the other clients (WebD, FM Go,...)?  EA works on all of those, but not SSO.

Everything Wim said.  Plus this.

 

Please do not confuse External Server Authentication with Single Sign On.  SSO requires External Server Authentication to work, but is different than EA.  SSO is for Windows OS workstations running FIleMaker Pro clients and Windows OS FileMaker Server only.  It does require both the server and the workstation to be members of the Domain.

 

Steven