BlogFileMaker

Using Local OS Accounts for FileMaker External Authentication

By February 24, 2009 One Comment

FileMaker External Authentication (EA) is a very powerful feature that is sometimes avoided needlessly. In this post I’ll explain how to implement it with no domain on non-server OS. Common false assumptions about EA:

  • Requires a domain. FALSE
  • Requires a server OS. FALSE
  • Is complicated. FALSE

EA is exceedingly simple to enable. It’s literally one radio button on the FileMaker Server Admin Console. This is all the configuration needed to start taking advantage of EA:

Enabling External AuthenticationEnabling External Authentication

To take advantage of External Authentication, you will need to set up three things:

  1. External Server account(s) in your FileMaker file(s)
  2. Group(s) on your server with matching name(s) to those of your External Server accounts
  3. Users to put in those Group(s)

Important Security Tip: Do not associate External Server groups with the [Full Access] privilege set, as this would make it too easy for an unauthorized person to log in with [Full Access] if they could manage to get a copy of your file and guess your [Full Access] External Server group name.

For the purpose of this how-to, we’ll assume that there is a External Server account called filemaker_test. This is set up in exactly the same way as a standard FileMaker account, but there is no password to configure:

Edit External Account

FileMaker External Server account

Last, you need to create a group with the same name on the FileMaker host (domain groups work too, but here we’re focusing on local host), and populate it with user accounts. This is very similar on Windows and on Macintosh. Here are the steps required for both Vista and Leopard: Vista On Vista, you can right click on “Computer” and choose Manage.

Create a group with the same name on the FileMaker host

Opening Manage Computer

This opens the Computer Management console. Disclose “Local Users and Groups” in the hierarchy. You can highlight either Users or Groups and choose More Actions on the right or use the context menu to add new ones.

Vista Computer Management: Users

Vista Computer Management: Users

Vista Computer Management: Groups

Vista Computer Management: Groups

Adding a User or a Group

Adding a User or a Group

Creating a Group in Vista

Creating A Group in Vista

Leopard This is all that is required on Vista. The process is very similar on Leopard, but unless you are running the Server version of Leopard, you will need to download the Server Admin Tools from Apple.

These tips are for 10.5, but should work essentially the same for 10.4 as well. After downloading and installing the tools, look for Applications/Server/ where you will find an app called Workgroup Manager. Launch this. It will prompt you to connect to a server, but you should simply cancel this dialog.

Cancel Workgroup Manager Connect

Cancel Workgroup Manager Connect

Instead you’ll want to choose Server -> View Directories or press cmd-D.

View Directories

View Directories

You will get a prompt warning you that you are working in a directory node  that is not visible to the network (i.e. you’re on the local machine), and this is exactly what we want. You can choose “Do not show” again if you like. Now features are pretty much where we started in Vista.

Dismiss the warning

Dismiss the warning

Mac Leopard Users

Mac Leopard: Users

Mac Leopard Groups

Mac Leopard: Groups

To create a new Group, click the padlock in the upper right and authenticate with your admin account. Then click New Group on the toolbar. Fill in the group name as filemaker_test in our case, and click Save.

Create a new group

Create a new Group

Switch to the Members tab, and click the plus symbol to open a search interface.

User search

User search

Select the user you need to add to your group and click Save.

Group with a User

Group with a User

Creating new Users on the local machine is very similar to creating new Groups. Once you create a new User and add it to your External Server account/group, any FileMaker file hosted on that machine, configured with a matching External Server account will allow that user in according to the privilege set you defined for the External Server account in that file. This is a terrific advantage for administering multi-file solutions where no domain is practical. This is common on conversion jobs (from fp5 format) where multiple files were required, but it’s also fairly common in new solutions to take advantage of multi-file architecture.

Jeremiah Small

Jeremiah Small

Jeremiah, Soliant Consulting's Director of Engineering, has been with Soliant since 2006. In his spare time, he is a volunteer member of Altadena Mountain Rescue Team. Jeremiah got undergrad and masters degrees from NYU, TSOA, specializing in set design for theater and film. The film/theater and ride/show fabrication industries led him to a career in software consulting where his creative training and general problem-solving talents have served him well.

One Comment

  • Avatar fmuser says:

    Hi jsmall

    I have created scripts and a table to let a users with “manager” privilege create, delete, activate, users and also be able to reset their passwords. I want to add another option of having the manager create users that authenticate on an external server.
    It will possibly be a check box for external server authentication but in the dialog box for new Account script step, the options are very limited. Is there a way for having the manager create such accounts that authenticate on external server via a script?

Leave a Reply