FME Server's security framework can be configured to use Active Directory for user authentication and user grouping. In this manner, a server administrator can utilize an existing user account database and associated security permissions.
In Active Directory, user accounts are given security permissions by placing them in one or more security groups. The integration works by effectively mapping Active Directory security groups to FME Server roles. In the Web User Interface, a role is then given a set of resources it can access and permissions on those resources. Therefore, if a security group has access to a particular resource, so do its member users.
Note: FME Server includes the fmesuperuser role, which allows full access to all server resources. It is not possible to map an Active Directory security group to this role in the same manner as other roles. For more information, see Enabling fmesuperuser Privileges in Active Directory.
To configure FME Server to use Active Directory, three steps are required:
These steps are described in detail in the following sections.
This document assumes that you have not modified FME Server security components and that you are using the default security settings that ship with FME Server (that is, the built-in database security module).
Identify the security groups or user accounts to which you want to allow access to FME Server, and compile a list of their distinguished names (DNs).
You can acquire DNs from the domain administrator or through an Active Directory browser, such as ADExplorer (http://technet.microsoft.com/en-us/sysinternals/bb963907). The DN of a security group takes on the general form:
CN=groupname,OU=organizationunit,...,DC=mydomain,DC=com
The DN of a user account takes on the general form:
CN=username,OU=organizationunit,...,DC=mydomain,DC=com
Through the FME Server web user interface, add each security group's or user account's DN as a user role. For each user role, specify the FME Server resources that the role can access.
Click OK to add the new user role.
The user membership is maintained in Active Directory.
Edit the FME Server configuration file (<FMEServerDir>\Server\fmeServerConfig.txt) to use Active Directory. Then restart the server.
Note: For more information about configuring the FME Server configuration file for Active Directory integration, see Configuring FME Server with Active Directory.
Under the Security heading, comment out (#) the following line:
SECURITY_LOGIN_TYPE=database
Uncomment (#) the following lines:
SECURITY_LOGIN_TYPE=activedirectory
SECURITY_AD_SERVER_AUTODETECT=true
SECURITY_AD_USE_SASL_AUTHENTICATION=true
SECURITY_AD_SASL_OPTION_MECHANISM=GSSAPI
SECURITY_AD_PREAUTH_USERNAME=
SECURITY_AD_PREAUTH_PASSWORD=
FME Server will attempt to automatically detect Active Directory. If this fails, provide the host and port for your Active Directory using the following lines:
SECURITY_AD_SERVER_AUTODETECT=false
SECURITY_AD_SERVER_COUNT=1
SECURITY_AD_SERVER_HOST1=<host>
SECURITY_AD_SERVER_PORT1=<port>(typically 389, or 636 when using SSL)
Provide your service account credentials in SECURITY_AD_PREAUTH_USERNAME and SECURITY_AD_PREAUTH_PASSWORD. A service account is required for certain features of FME Server (including token authentication and single sign-on authentication).
If you are connecting to Active Directory over a Secure Sockets Layer (SSL), add the following line:
SECURITY_AD_USE_SSL=true
SECURITY_AD_PREAUTH_USERNAME=<account_name>
SECURITY_AD_PREAUTH_PASSWORD=<acount_password>
This step is necessary for reliable Token Service access to the REST API. For more information, see Configuring FME Server with Active Directory.
Restart FME Server.
For more information, see Starting and Stopping FME Server.
When using Active Directory for user authentication and authorization, the Security Management interface has some modifications.
The User Accounts view is a live list of Active Directory users that can access components of FME Server. A server administrator cannot modify this list, since it is fetched from Active Directory. The list includes all users implicated by the enabled Active Directory security groups specified in user roles.
Note: FME Server populates this view by using Lightweight Directory Access Protocol's (LDAP) virtual list view (VLV) control. Your Active Directory server must have this feature enabled in order to display a live User Accounts view.
The User Roles view is a live list of Active Directory security groups who can access components of FME Server. A server administrator can modify this list, which is stored in the local security database, to add Active Directory security groups or remove existing groups.
Note: User roles can accept Active Directory security groups or user accounts. It is possible through the user interface to add user roles that are not security groups; however, they are ignored. Examples of invalid user roles when using Active Directory include:
- Active Directory distribution groups
- Built-in database user roles (for example, fmeadmin)
Active Directory-based security might be easier to set up in some server environments, due to the high degree of variability of the security hierarchy. If you are having difficulty configuring FME Server's security framework to use Active Directory, check the following troubleshooting tips for options.
Enabling debug logging for FME Server's security framework allows more verbose logging during many Active Directory operations. Examining log messages might provide insight into the failing operation.
Restart FME Server.
For more information, see Starting and Stopping FME Server.
Bundled with your FME Server installation is an Active Directory configuration utility, located at:
<FMEServerDir>/Utilities/ActiveDirectoryConfigurationConsole.bat
This utility allows you to test various Active Directory configuration parameters and uses the same API to contact your domain controller and FME Server.
The utility presents the following menu options:
This allows you to test connection parameters and verify that a connection to an Active Directory server can be established.
This allows you to verify that all directory browsing options are functioning properly.
This allows you to test authentication using standard NT username/password.
This outputs the set of configuration parameters used in this utility. Follow the on-screen instructions to migrate these parameters into the FME Server configuration file.