Configuring FileMaker Server For Kerberos Authentication
It is possible to implement Kerberos-based external authentication for access to the FileMaker Server admin console for FileMaker servers at MIT. Doing this requires modifying configurations at both the FileMaker Server application and server OS levels.
This article covers the various tasks and configurations necessary in order implement Kerberos authentication to FileMaker Server at MIT. For more information on FileMaker authentication in general, see FileMaker Authentication.
On this page:
Server Configuration
MIT WIN domain
At MIT, when a FileMaker server is added to the win.mit.edu domain, it has access to MIT's LDAP directory service, thereby allowing for Kerberos-based external authentication for compatible applications. All IS&T-managed FileMaker servers are part of the MIT WIN domain, so if your DLC engages with IS&T for your FileMaker hosting needs (which we strongly recommend), this capability comes automatically. If your DLC manages its own Windows-based FileMaker server, you can add your server to the WIN domain to leverage this capability. IS&T is currently unable offer any support or guidance on Macintosh-based FileMaker servers.
Configure local server group
The first step to enable Kerberos authentication to the FileMaker Server admin console is add the designated users, either individually or via a Moira list, to a local server group on your server. Windows servers come with a pre-defined Administrators group, so it's straightforward to use this existing group. In the below example, note that "From this location" defaults to WIN.MIT.EDU. With this setting, you can simply enter the Kerberos username or Moira list name of the desired individual(s) or group(s), and then click Check Names to verify the entry via MIT LDAP. If you enter a Moira list name, the Check Names action will append the suffix "_group" to the list name; this suffix is necessary.)
If you wish to create a Moira list for defining the user(s) who may access the FileMaker Server admin console, instructions can be found here under Moira List Setup.
Configure FileMaker Server
Now that we have identified and updated our local server group to include the designated individual(s) who can access the FMS admin console, we need to tell FileMaker Server which group to use. To do this, in the admin console, navigate to the General Settings pane > Admin Console tab. Under External Group, tick the "Use external group" checkbox, and enter the group name in the Specify External Group field. Use the Test External Group button to verify the group name was entered correctly.
User Login to FileMaker Server Admin Console
Any users who have been added to an appropriate server group as described above, whether individually or via a Moira list, will now be able to authenticate to the FileMaker Server admin console with their Kerberos username and password.
Additional Resources
More information on External Authentication can be found in FileMaker's in-depth guide.
For any questions related to FileMaker at MIT, please contact filemaker-support@mit.edu.