Claris FileMaker Security Guide: Best Practices for Configuring Security Options

Set up external authentication

If you host files using FileMaker Server, you can create external server account access entries in the files that authenticate users via Active Directory or Open Directory. You can then use your existing authentication server to control access to databases, instead of managing an independent list of accounts in each database file.

Alternatively, you can use local security groups and accounts on the server machine hosting FileMaker Server. Refer to Help for your operating system.

Use external authentication if:

your organization already uses Active Directory or Open Directory.
your FileMaker Pro file will be accessed by other files in a multifile custom app.
your organization enforces minimum password standards. FileMaker clients can enforce elementary standards for FileMaker file accounts, such as password length and frequency of changing the password. External authentication offers more robust password control, such as enforcing password complexity requirements.

If you host files using FileMaker Server installed in Windows Server and use Active Directory for external authentication, your Windows users can use Single Sign-On with FileMaker Pro.

There is a risk with external authentication that someone will gain access to your file by simulating the external authentication environment or mismanaging the groups. It is your responsibility to prevent this by maintaining the security of your external authentication server. Enable database encryption for your custom app files to reduce this risk. Database encryption requires users to provide the encryption password before they can host the file on FileMaker Server. See Encrypt data.

Set up external server account access within the file using FileMaker Pro, then host the file using FileMaker Server and configure it for external authentication. See "Editing external server account access" in FileMaker Pro Help; and Enable external authentication.

Important information when using external authentication

You must use the external authentication server to reset passwords.
Set account access entries in the order you want FileMaker clients to authenticate them. When a FileMaker file account and an external server account authenticate with the same account name and password, or when multiple groups contain the same external server account, FileMaker clients open the file using the first active, matching account access entry in the priority (authentication) order. Any subsequent matching account access entries are ignored. See "Changing the priority of account access" in FileMaker Pro Help.
External server account access shouldn't be the only type of account access with the Full Access privilege set. Maintain a FileMaker file account for administration purposes in case the file needs to be removed from FileMaker Server. If there are no FileMaker file accounts, FileMaker clients can open the file only if the file is hosted and the external authentication server is available.