External authentication for Admin Console and administrator groups

If you are using external groups for authentication of the Admin Console account or administrator groups, follow these important guidelines to prevent incorrect user authentication and conflicts between the Admin Console account and administrator groups:

• To prevent unauthorized users from mistakenly logging in to Admin Console as the server administrator, make sure the Admin Console user name and password do not match any user name and password in any of the external authentication groups associated with Admin Console or any administrator group. Use a unique user name and a strong password that is at least 8 characters and a combination of letters and numbers. Note that the Admin Console user name and administrator group names are not case sensitive, but passwords are. See Admin Console settings.

When a user logs in to Admin Console, FileMaker Server uses the following priority rules to determine the user’s role as either the FileMaker Server administrator or as a group administrator:

1. If the user logs in using a name and password that matches the user name and password defined on the General Settings > Admin Console tab, the user is logged in as the FileMaker Server administrator.

2. If the user logs in using a name and password that matches a user name and password in an external authentication group defined on the General Settings > Admin Console tab, the user is logged in as the FileMaker Server administrator.

3. If the user logs in using a name and password that matches a group name and password defined on the General Settings >Administrator Groups tab, the user is logged in as that group’s administrator.

4. If the user logs in using a name and password that matches a group name and password in an external authentication group associated with an administrator group, the user is logged in as that group’s administrator.

5. When a user logs into an account that is set up to access multiple groups, a dialog box displays so that the user can select which group to log into.

For example, suppose you associate an external authentication group “fmsadmin” with Admin Console. Suppose also that you associate an external authentication group “fmsfinance” with the FileMaker Server administrator group “Finance”. Lastly, suppose a user named Joe is a member of both “fmsadmin” and “fmsfinance” external authentication groups, When Joe logs in to Admin Console, he is logged in as the FileMaker Server administrator according to priority rule 2. In other words, his membership in the external authentication group associated with Admin Console has priority over his membership in the external authentication group associated with an administrator group.

Tip Use the priority rules to troubleshoot incorrect configurations such as a group administrator who is mistakenly allowed to log in to Admin Console as the server administrator. To quickly prevent an unauthorized user from logging in to Admin Console, change the Admin Console user name and password to be unique by clicking Change User Name/Password. You can also change the association with the external group in the Admin Console account, or remove the user from the external group.

• To prevent users from mistakenly logging in to the wrong administrator group, make sure the group names and passwords defined on the General Settings > Administrator Groups tab do not match any user name and password in any of the external authentication groups associated with any other administrator group. Use a unique group name and a strong password.

• OS X: If you enable external group authentication using Open Directory, and the Open Directory authentication account or group matches the Admin Console user name or administrator group name, then the Admin Console user name or administrator group name is case sensitive.

• For more information on setting up external authentication, go to help.filemaker.com and search for articles containing the keywords external and authentication.