Access Keys:
Skip to content (Access Key - 0)

Configuring FileMaker Databases For Kerberos Authentication

It is possible to implement Kerberos-based external authentication for hosted FileMaker databases at MIT. Doing this requires modifying settings at both the server and database level, as well as creating Moira lists that function as access control lists.

This article covers the various tasks and configurations necessary in order to implement Kerberos authentication with FileMaker at MIT. For more information on FileMaker authentication in general, see FileMaker Authentication.

On this page:

Important Security Considerations

While it has many advantages, use of external authentication with FileMaker carries its own set of considerations, particularly with regards to security. Before getting started, it is extremely important to be mindful of the following:

  1. In order to commit changes made in the Manage Security dialog in FileMaker databases (when editing accounts and privilege sets), you must enter the credentials of an internally authenticated full access account. As such, even when employing external authentication, you must still maintain at least one internal full access FileMaker account. Please refer to FileMaker Authentication for recommendations on setting up password-secured, full access FileMaker accounts.
  2. It is generally not recommended to use external authentication for full access accounts in FileMaker, as this practice carries potential security risks. If an illegitimate user gains physical access to a FileMaker file with an external full access account, they may easily spoof the external group and gain entry to the file. If you choose to employ an external full access account, securing the server and any backup locations is of paramount importance. In addition, as noted above, remember that external full access accounts cannot be used to commit changes made in the Manage Security dialog; this must be done with an internal full access FileMaker account.
  3. The use of Moira lists for FileMaker access control requires responsible Moira list management. Moira list setup is described in detail later on in this article, but understand these key points before starting your implementation:
    • A unique, dedicated Moira list should be created for each privilege set within each FileMaker database application. For example, if you manage two FileMaker databases, and each one has three active privilege sets, you will need to create six Moira lists.
    • Do not reuse Moira lists across multiple FileMaker applications. It's very rare that the users and privilege sets would be identical between databases.
    • Do not use Moira lists created for FileMaker access control for any other purpose, such as an office email list.

Server Configuration

MIT WIN domain

When hosted with FileMaker Server, FileMaker databases may be set up to use external authentication, allowing authentication via local server groups and/or LDAP. At MIT, when a FileMaker server is added to the win.mit.edu domain, it has access to MIT's LDAP directory service, thereby allowing for Kerberos-based external authentication. All IS&T-managed FileMaker servers are part of the MIT WIN domain, so if your DLC engages with IS&T for your FileMaker hosting needs (which we strongly recommend), this capability comes automatically. If your DLC manages its own Windows-based FileMaker server, you can add your server to the WIN domain to leverage this capability. IS&T is currently unable offer any support or guidance on Macintosh-based FileMaker servers.

FileMaker Server configuration

If you intend to use external authentication as a means for access to any of the databases hosted on your server, you must enable the external authentication option within the FileMaker Server application. In the FileMaker Server Admin Console 17, navigate to the Administration Tab.  Under External Authentication, enable external accounts for Admin Console and FileMaker and External Server Accounts for Database Sign In.

Database Configuration

There are several steps involved in setting up external authentication for a specific FileMaker database application (which may itself be comprised of one or more FileMaker files).

Database roles and privilege sets

The first step is to identify the various database user roles, or privilege sets, that may be assigned to users who will be accessing the database via external authentication. Privilege sets are defined in FileMaker by going to File > Manage > Security > Privilege Sets tab. Please refer to FileMaker documentation) for more information on the creation of privilege sets.

Moira list setup

For each privilege set identified above, you will need to create a Moira list that will function as an access control list defining all of the users with that particular privilege set. The following steps will guide you through this process; repeat all steps in full to create a Moira list for each privilege set.

  1. Go to WebMoira.
  2. Click Create a New List.
    Moira link create new list
  3. You will land on the Mailing List setup screen. Note that while this Moira list may be used as a mailing list, we do not intend to actually use it for that purpose. For Type of List, choose Moira, and click Next.
    Moira List setup screen
  4. You will then land on the Moira List configuration screen.
    Moira List configuration screen#* For list name, the recommended naming convention is dlcname-fmp-dbname-privsetname; for example, ist-fmp-mydb-readonly.
    • For list owner, enter the MIT Kerberos account username or existing Moira list name for the person(s) who will manage the list membership. If the owner is itself a list, check the box indicating so.
      Note: In general, we recommend creating a separate Moira list specifically for managing membership of these database access lists, with naming convention dlcname-fmp-dbname-admin (or something similar). Admin lists such as these should be configured to be self-owned, but otherwise would have the same settings as described here.
    • Check off the box for Is this list an AFS group. This is the setting that turns the list into an access control list.
    • The remaining settings can be left as-is. However, if you would like to hide the list name and membership from public view on WebMoira, check off Is this list hidden?
    • Then click Next.
  5. In the Confirm Selections screen, ensure the information you entered is correct, and then click Next.
    Moira List confirm selection screen
  6. In the final confirmation screen, click on the WebMoira link to return to the WebMoira list manager page.
    Moira List successfully created
  7. Back on the WebMoira list manager page, type your new list name into the Find a list box, and click Go.
    Find a WebMoira list
  8. Finally, populate the list membership with the individual database users with the selected privilege set.
    Add members to Moira list
  9. Note: When a user should no longer be able to access your database (such as when they leave MIT), be sure to remember to remove them from the appropriate Moira list.

Database security settings

Now that we've set up our Moira list(s) for each active privilege set in our FileMaker database, the final step is to create corresponding external account(s) in the database. The following steps will guide you through this process; repeat all steps in full to create an external account for each privilege set/Moira list.

Note: If your FileMaker database application is comprised of multiple files, you will also need to repeat this entire process for each FileMaker file.

  1. Open the FileMaker database file with a full access account, and choose File > Manage > Security > Accounts tab.
  2. Click New to create a new account.
  3. You will then land on the Edit Account screen.
    Edit account screen#* For Account is authenticated via, select External Server. The Account Name field label will then change to Group Name.
    • For Group name, enter the name of the Moira list, followed by the suffix "_group". For example, ist-fmp-mydb-readonly_group.
    • Select the corresponding privilege set.
    • Then click OK to finish creating the external account.

When finished creating an external account for each privilege set/Moira list, click OK at the bottom right of the Manage Security dialog, and enter the credentials for an internal full access account to commit the security changes.

Example use case

Let's say that I work in IS&T and I have two FileMaker databases: one called MyDB and another called MyOtherDB. Both databases require an internally authenticated full access account for use by the developer and/or database administrator. For all other users, MyDB employs two active privilege sets called Data Entry and Read Only, and MyOtherDB also employs two privilege sets called Data Entry and Limited Data Entry. The Kerberos authentication setup for these databases would be as follows:

  1. MyDB
    • Privilege set: Data Entry. Moira list: ist-fmp-mydb-dataentry. FileMaker external account: ist-fmp-mydb-dataentry_group.
    • Privilege set: Read Only. Moira list: ist-fmp-mydb-readonly. FileMaker external account: ist-fmp-mydb-readonly_group.
  2. MyOtherDB
    • Privilege set: Data Entry. Moira list: ist-fmp-myotherdb-dataentry. FileMaker external account: ist-fmp-myotherdb-dataentry_group.
    • Privilege set: Limited Data Entry. Moira list: ist-fmp-myotherdb-limited. FileMaker external account: ist-fmp-myotherdb-limited_group.

Note that we have created a unique Moira list for each privilege set within each database. In this case, two databases with two privilege sets each means four total Moira lists. Even though both databases have a privilege set called Data Entry, we still need to create separate "Data Entry" Moira lists. This is because it's unlikely that the exact same users should be able to access both applications. Even if that were the case, it's still best to create separate lists to allow for more explicit access control should the users or needs ever change in the future.

Finally, a note on Moira list ownership/management: If I were the sole FileMaker database administrator in IS&T, it might be perfectly acceptable for me to be the owner of each of the four Moira lists. However, if multiple individuals in my group need to be able to manage these access lists, then I would create an additional self-owned Moira list called ist-fmp-acladmin (i.e. access control list admin) to define the individuals who can manage the four access lists. I would then change the owner of the four Moira lists above to be ist-fmp-acladmin.

User Login

Using Kerberos to login to FileMaker

Any users who are a member of a Moira list with an associated external account in FileMaker as described above will now be able to authenticate to the FileMaker database with their Kerberos username and password. They will also have the privilege set associated with the particular Moira list.

Note: If a user is a member of multiple Moira lists with corresponding external accounts in FileMaker, they will authenticate to FileMaker with whichever external account is listed first (from top to bottom) in the File > Manage > Security > Accounts tab.

Windows and Single Sign-On

It's common for Windows users at MIT to have their local machine be on the MIT WIN domain. When such a user logs in to their machine, they enter their Kerberos credentials to authenticate to win.mit.edu. In this setup, when a user first opens a hosted FileMaker database with external authentication enabled, the database will automatically attempt to log them in based on membership of any external groups available via the server. Hence, if the user is a member of any Moira lists (or local server groups on the FileMaker server machine) which match an external account defined in the database, they will be automatically logged in with that account. This approximates the single sign-on experience. To bypass this behavior and always get prompted for FileMaker credentials, the user must hold down the Shift key while opening the database.

There is no equivalent single sign-on behavior for Mac users.

Additional Resources

More information on External Authentication can be found in FileMaker's in-depth guide.

For any questions related to FileMaker at MIT, please contact filemaker-support@mit.edu.

IS&T Contributions

Documentation and information provided by IS&T staff members

Last Modified:

January 29, 2019

Get Help

Request help
from the Help Desk
Report a security incident
to the Security Team
Labels:
c-filemaker c-filemaker Delete
c-filemaker-security c-filemaker-security Delete
c-filemaker-integration c-filemaker-integration Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.
Feedback
This product/service is:
Easy to use
Average
Difficult to use
This article is:
Helpful
Inaccurate
Obsolete
Adaptavist Theme Builder (4.2.3) Powered by Atlassian Confluence 3.5.13, the Enterprise Wiki