Configuring administrator group settings > Managing administrator groups > External authentication for Admin Console and administrator groups
 
External authentication for Admin Console and administrator groups
Note  The following information is for server administrators.
You can allow multiple users in the same external authentication group to log in to the same administrator group. External authentication lets you take advantage of existing groups in a managed authentication server such as Open Directory or Active Directory. For example, you specify an external Open Directory authentication group called fmsSales for an administrator group called Sales. If the users named Susan and Tom are members of the fmsSales Open Directory group, they can both use their Open Directory user name and password to log in to Admin Console and perform the tasks authorized in the Sales administration group.
If you are using external groups for authentication of the Admin Console account or administrator groups, follow these important guidelines to prevent incorrect user authentication and conflicts between the Admin Console account and administrator groups:
Make sure you click Test External Group to verify the external group name information is correct. Also make sure the group administrator’s account information exists in the external group. If the external group name is incorrect or the group administrator’s user name or password does not exist in the external group, FileMaker Server displays a message to group administrators when they log in, stating that the user name and password are incorrect.
To prevent unauthorized users from mistakenly logging in to Admin Console as the server administrator, make sure the Admin Console user name and password do not match any user name and password in any of the external authentication groups associated with Admin Console or any administrator group. Use a unique user name and a strong password that is at least 8 characters and a combination of letters and numbers. Note that the Admin Console user name and administrator group names are not case sensitive, but passwords are. See Admin Console settings.
When a user logs in to Admin Console, FileMaker Server uses the following priority rules to determine the user’s role as either the FileMaker Server administrator or a group administrator:
1. If the user logs in using a name and password that matches the user name and password defined on the General Settings > Admin Console tab, the user is logged in as the FileMaker Server administrator.
2. If the user logs in using a name and password that matches a user name and password in an external authentication group defined on the General Settings > Admin Console tab, the user is logged in as the FileMaker Server administrator.
3. If the user logs in using a name and password that matches a group name and password defined on the General Settings >Administrator Groups tab, the user is logged in as that group’s administrator.
4. If the user logs in using a name and password that matches a group name and password in an external authentication group associated with an administrator group, the user is logged in as that group’s administrator.
5. When a user logs in to an account that is set up to access multiple groups, a dialog box displays so that the user can select which group to log into.
For example, suppose you associate an external authentication group “fmsadmin” with Admin Console. Suppose also that you associate an external authentication group “fmsfinance” with the FileMaker Server administrator group “Finance”. Lastly, suppose a user named Joe is a member of both “fmsadmin” and “fmsfinance” external authentication groups, When Joe logs in to Admin Console, he is logged in as the FileMaker Server administrator according to priority rule 2. In other words, his membership in the external authentication group associated with Admin Console has priority over his membership in the external authentication group associated with an administrator group.
Tip  To quickly prevent an unauthorized user from logging in to Admin Console, change the Admin Console user name and password to be unique by clicking Change User Name/Password. You can also change the association with the external group in the Admin Console account, or remove the user from the external group.
You cannot use the same external authentication group for the Admin Console account and an administrator group.
macOS: If you enable external group authentication using Open Directory, and the Open Directory authentication account or group matches the Admin Console user name or administrator group name, then the Admin Console user name or administrator group name is case sensitive.
For information on setting up external authentication, go to the FileMaker Knowledge Base and search for articles containing the keywords external and authentication.
Related topics 
Configuring administrator group settings
Managing administrator groups
FileMaker Server group folders
FileMaker Server administrator group privileges