You are here: Administrator's Guide > Securing FME Server > Configuring Integrated Windows Authentication > Updating the FME Server Configuration

Updating the FME Server Configuration

To update the FME Server configuration to enable Integrated Windows Authentication (IWA, or "single sign-on") involves the following steps:

  1. Update the user role permissions.

  2. Specify the service account and enable single sign-on in the FME common configuration file (fmeCommonConfig.txt).
  3. Enable single sign-on in the Web User Interface configuration file (propertiesFile.properties).

Updating User Role Policies

Single sign-on users require access to the Token Service to generate security tokens.

  1. If you have not already done so, add your domain's Active Directory security groups as user roles in FME Server. For more information, see "Identify Security Groups" in Connecting to Active Directory.
  2. On the FME Server Web User Interface, select Manage > Administration > Security. On the Security page, select the Role Policies tab.
  3. In the 'Role' field, select the appropriate user role.
  4. Under 'Services,' ensure that 'Token Security' is checked.
  5. If changes are made, click Apply Changes.

Updating fmeCommonConfig.txt

This configuration file is located at <FMEServerDir>/Server/fmeCommonConfig.txt

  1. Under the 'Security Management' heading, set:

    2. SECURITY_DEBUG=true

  2. Under the 'Authentication' heading, set:

    3. #SECURITY_LOGIN_TYPE=database

    SECURITY_LOGIN_TYPE=activedirectory

    SECURITY_AD_USE_SASL_AUTHENTICATION=true

    SECURITY_AD_SASL_OPTION_MECHANISM=GSSAPI

    SECURITY_AD_PREAUTH_USERNAME=<service account name>

    Note: Specify only a service account name for the SECURITY_AD_PREAUTH_USERNAME parameter. Do not include a domain name. For example, do not specify domain_name\\user_name. Specify only user_name.

    SECURITY_AD_PREAUTH_PASSWORD=<service account password>

    SECURITY_AD_USE_SINGLE_SIGN_ON=true

Note: SASL authentication must be enabled and Kerberos V5 must be used as the authentication mechanism. Therefore, depending on your Windows domain configuration, SECURITY_AD_SASL_OPTION_KDC_ADDRESS and SECURITY_AD_SASL_OPTION_REALM may be required. For more information, see SECURITY_AD_SASL_OPTION_MECHANISM.

Updating propertiesFile.properties

When FME Server is installed using express installation, this configuration file is located at <FMEServerDir>/Utilities/tomcat/webapps/fmeserver/WEB-INF/conf/propertiesFile.properties.

  1. Set USE_SINGLE_SIGN_ON=true
  2. Verify that the SINGLE_SIGN_ON_AUTH_URL host name matches that of a service principal name (SPN). For example, if SINGLE_SIGN_ON_AUTH_URL=http://fmeserver.domain.net:80/fmetoken/sso/generate, then the host name 'fmeserver.domain.net' correctly matches that of the SPN 'http/fmeserver.domain.net'.

  3. Verify that the parameter SINGLE_SIGN_ON_AUTH_URL is set to the correct protocol. By default, http is used as the protocol. If SSL is enabled for the web application server, then update the protocol to https.