You are here: FME Server Administrator's Guide > Securing FME Server > Configuring Integrated Windows Authentication > Updating the FME Server Configuration

Updating the FME Server Configuration

To update the FME Server configuration to enable Integrated Windows Authentication (IWA, or "single sign-on") involves the following steps:

  1. Update the user role permissions.

  2. Specify the service account and enable single sign-on in the FME Server configuration file (fmeServerConfig.txt).
  3. Enable single sign-on in the Web User Interface configuration file (propertiesFile.properties).

Updating User Role Permissions

Single sign-on users require access to the Token Service to generate security tokens.

  1. If you have not already done so, add your domain's Active Directory security groups as user roles in FME Server. For more information, see "Identify Security Groups" in Connecting to Active Directory.
  2. From the FME Server Web User Interface, select 'Security', then select the 'Permissions' tab.
  3. In the 'Role' field, select the appropriate user role.
  4. Under 'Services,' ensure that 'Token Security' is checked.
  5. If changes are made, click 'Apply Changes.'

Updating fmeServerConfig.txt

This configuration file is located at <FMEServerDir>/Server/fmeServerConfig.txt

  1. Under the 'Security Management' heading, set:

    2. SECURITY_DEBUG=true

  2. Under the 'Authentication' heading, set:

    3. #SECURITY_LOGIN_TYPE=database

    SECURITY_LOGIN_TYPE=activedirectory

    SECURITY_AD_USE_SASL_AUTHENTICATION=true

    SECURITY_AD_SASL_OPTION_MECHANISM=GSSAPI

    SECURITY_AD_PREAUTH_USERNAME=<service account name>

    SECURITY_AD_PREAUTH_PASSWORD=<service account password>

    SECURITY_AD_USE_SINGLE_SIGN_ON=true

Note:  SASL authentication must be enabled and Kerberos V5 must be used as the authentication mechanism. Therefore, depending on your Windows domain configuration, SECURITY_AD_SASL_OPTION_KDC_ADDRESS and SECURITY_AD_SASL_OPTION_REALM may be required. For more information, see SECURITY_AD_SASL_OPTION_MECHANISM.

Updating propertiesFile.properties

When FME Server is installed using express installation, this configuration file is located at <FMEServerDir>/Utilities/tomcat/webapps/fmeserver/WEB-INF/conf/propertiesFile.properties.

  1. Set USE_SINGLE_SIGN_ON=true
  2. Verify that the SINGLE_SIGN_ON_AUTH_URL host name matches that of a service principal name (SPN). For example, if SINGLE_SIGN_ON_AUTH_URL=http://fmeserver.domain.net..., then the host name 'fmeserver.domain.net' correctly matches that of the SPN 'http/fmeserver.domain.net'.

  3. Verify that the parameter SINGLE_SIGN_ON_AUTH_URL is set to the correct protocol. By default, http is used as the protocol. If SSL is enabled for the web application server, then update the protocol to https.

Safe Software Inc. www.safe.com