How can security be implemented with FileMaker external authentication with Windows Active Directory? How does the username & password work in terms of FileMakers Get(AccountName) function?
Note the interesting behavior of Get(AccountName). [It is important to note, but not directly what this tech note is about, that if you create a calculation for Get(AccountName) you will want this calculation to not store its results so that it is updated correctly. Furthermore, the calculation wont work in Find mode, so if you want to be in Find mode and display the Account Name, you have to store this into a global text field. This is easily done with an open script that uses Get(AccountName) to set a global field on log-in].
I will describe the function of Get(AccountName) for normal accounts and then for externally authenticated accounts (with Windows AD)
Be sure to reference the attached pictures for this note.
Figure 1: FileMakers setup accounts window
In this window you see the normal setup for setting up FileMaker accounts. Create a new account or edit an existing one.
Figure 2: Setting up a Normal FileMaker Account
Note that here I am setting up an account named joe. If Joe logs in with this account, the Get(AccountName) will return joe.
Figure 3: Setting up an Externally Authenticated Account
Note that here I am still editing a FileMaker Account (under the Accounts tab), but I have switched Account is authenticated via: External Server. Then, the text field where I normally enter the account name changes to Group name. This is because a FileMaker account in this context corresponds to a Windows Active Directory group. It is then the Windows AD administrators responsibility to make sure that the individual logging in is associated with the correct group on the AD server.
For this example, I have used the group name theclub and assigned this FileMaker account (AD Group) to the Privilege set [Data Entry Only]
Lets assume that Jane is a member of the group theclub on the AD server. When Jane logs in with her username and password, she is externally authenticated (this is configured in FileMaker Server), the FileMaker system sees she is a member of theclub, and gives her the corresponding privilege set.
When using Get(AccountName) in this context (with external authentication), does the function return jane (the username stored in the AD Server and associated with the group), or does the function return theclub, the name of the FileMaker account (really, AD Group), against which Jane was authenticated?
The answer is Get(AccountName) returns jane. This is very useful when it is necessary to know exactly which user has logged in, and allowing and/or restricting her access to records and fields.
As far as we know as the time of this writing (2006.02.02), there is no FileMaker function that returns the AD Group name itself (in our example, theclub). This is a drawback to FileMakers implementation of the external authentication, but there are ways around.
One way around it would be to use a unique privilege set for each FileMaker account (AD Group), then use the Get(PrivilegeSet) function to figure out which Privilege Set they had logged in with. If each one is unique to an account, then you can deduce which account (AD Group) they logged in with using this method. As of this writing, this is the best work-around that we have for this scenario.