FileMaker External Authentication (EA) is a very powerful feature that is sometimes avoided needlessly. In this post I’ll explain how to implement it with no domain on non-server OS. Common false assumptions about EA:
- Requires a domain. FALSE
- Requires a server OS. FALSE
- Is complicated. FALSE
EA is exceedingly simple to enable. It’s literally one radio button on the FileMaker Server Admin Console. This is all the configuration needed to start taking advantage of EA:
To take advantage of External Authentication, you will need to set up three things:
- External Server account(s) in your FileMaker file(s)
- Group(s) on your server with matching name(s) to those of your External Server accounts
- Users to put in those Group(s)
Important Security Tip: Do not associate External Server groups with the [Full Access] privilege set, as this would make it too easy for an unauthorized person to log in with [Full Access] if they could manage to get a copy of your file and guess your [Full Access] External Server group name.
For the purpose of this how-to, we’ll assume that there is a External Server account called filemaker_test. This is set up in exactly the same way as a standard FileMaker account, but there is no password to configure:
FileMaker External Server account
Last, you need to create a group with the same name on the FileMaker host (domain groups work too, but here we’re focusing on local host), and populate it with user accounts. This is very similar on Windows and on Macintosh. Here are the steps required for both Vista and Leopard: Vista On Vista, you can right click on “Computer” and choose Manage.
Opening Manage Computer
This opens the Computer Management console. Disclose “Local Users and Groups” in the hierarchy. You can highlight either Users or Groups and choose More Actions on the right or use the context menu to add new ones.
Vista Computer Management: Users
Vista Computer Management: Groups
Adding a User or a Group
Creating A Group in Vista
Leopard This is all that is required on Vista. The process is very similar on Leopard, but unless you are running the Server version of Leopard, you will need to download the Server Admin Tools from Apple.
- Download Server Admin Tools for 10.5 (Leopard)
- Download Server Admin Tools for 10.4 (Tiger)
These tips are for 10.5, but should work essentially the same for 10.4 as well. After downloading and installing the tools, look for Applications/Server/ where you will find an app called Workgroup Manager. Launch this. It will prompt you to connect to a server, but you should simply cancel this dialog.
Cancel Workgroup Manager Connect
Instead you’ll want to choose Server -> View Directories or press cmd-D.
View Directories
You will get a prompt warning you that you are working in a directory node that is not visible to the network (i.e. you’re on the local machine), and this is exactly what we want. You can choose “Do not show” again if you like. Now features are pretty much where we started in Vista.
Dismiss the warning
Mac Leopard: Users
Mac Leopard: Groups
To create a new Group, click the padlock in the upper right and authenticate with your admin account. Then click New Group on the toolbar. Fill in the group name as filemaker_test in our case, and click Save.
Create a new Group
Switch to the Members tab, and click the plus symbol to open a search interface.
User search
Select the user you need to add to your group and click Save.
Group with a User
Creating new Users on the local machine is very similar to creating new Groups. Once you create a new User and add it to your External Server account/group, any FileMaker file hosted on that machine, configured with a matching External Server account will allow that user in according to the privilege set you defined for the External Server account in that file. This is a terrific advantage for administering multi-file solutions where no domain is practical. This is common on conversion jobs (from fp5 format) where multiple files were required, but it’s also fairly common in new solutions to take advantage of multi-file architecture.
Hi jsmall
I have created scripts and a table to let a users with “manager” privilege create, delete, activate, users and also be able to reset their passwords. I want to add another option of having the manager create users that authenticate on an external server.
It will possibly be a check box for external server authentication but in the dialog box for new Account script step, the options are very limited. Is there a way for having the manager create such accounts that authenticate on external server via a script?