Creating accounts that authenticate via an external server
If you’re hosting FileMaker Pro files with FileMaker Server and your organization uses centrally managed
authentication for users and groups, such as Apple Open Directory or a Windows domain, you can set up
accounts that authenticate users based on your authentication server. This allows you to use your existing authentication server to control access to databases without having to manage an independent list of accounts in each FileMaker Pro database file.
Note Although you can set up accounts for external authentication servers in FileMaker Pro, only database files hosted by FileMaker Server can authenticate users against an authentication server. Database files shared by FileMaker Pro won’t authenticate against an authentication server.
Important When a database file contains one or more External Server accounts, make sure you use operating system security settings to limit direct access to the file. Otherwise, it might be possible for an unauthorized user to move the file to another system that replicates your authentication server environment and gain access to the file. For more information, see the FileMaker Server documentation.
To create an account that authenticates via an external server:
1. Choose File menu > Manage > Security.
If the Manage Security dialog box displays the detailed security settings, click Use Basic Setup.
2. Click New Account.
3. For Authenticate via, choose External Server.
4. For Group Name, enter the name of a group that is defined on an external authentication server.
5. For Privilege Set, choose, create, or edit a privilege set.
The privilege set assigned to the account determines what the externally authenticated group members can do in the file.
6. To make the account active, select its checkbox.
To make an account inactive (for example, until you set up its privilege set), clear the checkbox.
7. If you’re finished, click OK.
Authenticating users with multiple accounts
It’s possible for a file with External Server accounts to contain multiple accounts that could authenticate a user. For example, a file could contain:
•Both a FileMaker-authenticated account and an account on the authentication server with the same name.
•Two or more External Server accounts that contain the same member.
When a user opens a file, FileMaker Pro opens the file using the first matching account in the authentication order. Any matching accounts that follow the first one are ignored. Therefore, it’s important to set the authentication order for accounts when one or both of the above situations exist. Otherwise, the wrong account may be used to access the file. For information on changing the authentication order, see
Creating and editing accounts.
The authentication order is only an issue under specific circumstances: you must be hosting files with FileMaker Server, using an external authentication server, and have accounts set up so that there are multiple accounts that could authenticate particular users. If you are only using FileMaker-authenticated accounts, authentication order is not a concern because each account must have a unique name.
Notes
•You’ll need to set additional options in FileMaker Server to authenticate users against an external server. See FileMaker Server Help.
Related topics