Connecting to Active Directory
FME Server's security framework can be configured to use Active Directory for user authentication and user grouping. In this manner, a server administrator can utilize an existing user account database and associated security permissions.
In Active Directory, user accounts are given security permissions by placing them in one or more security groups. The integration works by effectively mapping Active Directory security groups to FME Server roles. In the Web User Interface, a role is then given a set of resources it can access and permissions on those resources. Therefore, if a security group has access to a particular resource, so do its member users.
Note: FME Server includes the fmesuperuser role, which allows full access to all server resources. It is not possible to map an Active Directory user account or security group to this role in the same manner as other roles. For more information, see Enabling fmesuperuser Privileges in Active Directory.
Getting Started
To configure FME Server to use Active Directory, these steps are required:
- Identify Security Groups or User Accounts.
- Add Security Groups or User Accounts as Roles.
- Enable Active Directory integration in the FME Server configuration file.
- Verify the Active Directory Connections.
This document assumes that you have not modified FME Server security components and that you are using the default security settings that ship with FME Server (that is, the built-in database security module).
Identify Security Groups or User Accounts
Identify the security groups or user accounts to which you want to allow access to FME Server, and compile a list of their distinguished names (DNs).
You can acquire DNs from the domain administrator or through an Active Directory browser, such as ADExplorer (http://technet.microsoft.com/en-us/sysinternals/bb963907). The DN of a security group takes on the general form:
CN=groupname,OU=organizationunit,...,DC=mydomain,DC=com
The DN of a user account takes on the general form:
CN=username,OU=organizationunit,...,DC=mydomain,DC=com
Add Security Groups or User Accounts as Roles
Through the FME Server web user interface, add each security group's or user account's DN as a user role. For each user role, specify the FME Server resources that the role can access.
- Using a web browser, access the FME Server Web Interface—for example, http://localhost/fmeserver.
- If you are not already authenticated, enter your credentials, and click Login.
- On the menu, click Manage > Administration > Security.
- On the Security page, click the Roles tab.
- Click New, and then specify the security group's or user account's DN.
-
Click OK to add the new user role.
The user membership is maintained in Active Directory.
- Click the Role Policies tab, and select the newly added role.
- Specify the FME Server resources that you want to make accessible to this security group, and then click Apply Changes.
- Repeat steps 4 through 8 for each security group or user account you want to add.
Enable Active Directory
Edit FME Server configuration file fmeCommonConfig.txt (<FMEServerDir>\Server\fmeCommonConfig.txt) to use Active Directory. Then restart the server.
Note: In a distributed installation of FME Server, fmeCommonConfig.txt must be configured on all machines hosting FME Server components.
Note: For more information about configuring the FME Server configuration file for Active Directory integration, see Recommended Configuration for Active Directory Connections.
- Open the FME Server configuration file, fmeCommonConfig.txt, located in the subdirectory Server of your FME Server install directory.
-
Under the Authentication heading, comment out (#) the following line:
SECURITY_LOGIN_TYPE=database
-
Uncomment the following lines:
SECURITY_LOGIN_TYPE=activedirectory
SECURITY_AD_SERVER_AUTODETECT=true
SECURITY_AD_USE_SASL_AUTHENTICATION=true
SECURITY_AD_SASL_OPTION_MECHANISM=GSSAPI
SECURITY_AD_PREAUTH_USERNAME=
SECURITY_AD_PREAUTH_PASSWORD=
FME Server will attempt to automatically detect Active Directory. If this fails, provide the host and port for your Active Directory using the following lines:
SECURITY_AD_SERVER_AUTODETECT=false
SECURITY_AD_SERVER_COUNT=1
SECURITY_AD_SERVER_HOST1=<host>
SECURITY_AD_SERVER_PORT1=<port> (typically 389, or 636 when using SSL)
Note: For failover purposes, you can specify multiple Active Directory hosts. Each additional host is contacted if the previous one fails. All specified hosts must recognize the same security groups or user accounts that are granted role access in FME Server. For more information, see SECURITY_AD_SERVER_COUNT.
-
If you are connecting to Active Directory over a Secure Sockets Layer (SSL):
- Add the following line:
- (Optional) If you are authenticating using a CA certificate, import the certificate and instruct FME Server to add it to the list of trusted certificates.
SECURITY_AD_USE_SSL=true
- (Recommended) Provide your service account credentials in SECURITY_AD_PREAUTH_USERNAME and SECURITY_AD_PREAUTH_PASSWORD. A service account is required for certain features of FME Server, including token authentication, single sign-on authentication, and access to the FME Server REST API. For more information, see Recommended Configuration for Active Directory Connections:
- Save the configuration file.
-
Restart FME Server.
- Log in using your Active Directory credentials.
SECURITY_AD_PREAUTH_USERNAME=<account_name>
SECURITY_AD_PREAUTH_PASSWORD=<acount_password>
Note: These credentials should match those that are used to log on to the FME Server Services. If not, you may have trouble accessing certain pages of the FME Server Web User Interface (such as Notifications or Resources).
Note: Specify only a service account name for the SECURITY_AD_PREAUTH_USERNAME parameter. Do not include a domain name. For example, do not specify domain_name\\user_name. Specify only user_name.
Verify the Active Directory Connections
To verify that Active Directory connections are configured properly, log in to the FME Server Web User Interface under an Active Directory user account that was configured with FME Server, and perform the relevant checks here, depending on the permissions available to that account's role.
Security Management Using Active Directory
When using Active Directory for user authentication and authorization, the Security Management interface has some modifications.
- The User Accounts view displays a live list of Active Directory users who can access components of FME Server.
- The User Roles view continues to display all available user roles, including those that are not Active Directory security groups or user accounts.
User Accounts View
The User Accounts view is a live list of Active Directory users that can access components of FME Server. A server administrator cannot modify this list, since it is fetched from Active Directory. The list includes all users implicated by the enabled Active Directory security groups specified in user roles.
Note: FME Server populates this view by using Lightweight Directory Access Protocol's (LDAP) virtual list view (VLV) control. Your Active Directory server must have this feature enabled in order to display a live User Accounts view.
User Roles View
The User Roles view is a live list of Active Directory security groups who can access components of FME Server. A server administrator can modify this list, which is stored in the local security database, to add Active Directory security groups or remove existing groups.
Note: User roles can accept Active Directory security groups or user accounts. It is possible through the user interface to add user roles that are not security groups; however, they are ignored. Examples of invalid user roles when using Active Directory include:
- Active Directory distribution groups
- Built-in database user roles (for example, fmeadmin)
Troubleshooting
Active Directory-based security might be easier to set up in some server environments, due to the high degree of variability of the security hierarchy. If you are having difficulty configuring FME Server's security framework to use Active Directory, check the following troubleshooting tips for options.
Enable Debug Logging
Enabling debug logging for FME Server's security framework allows more verbose logging during many Active Directory operations. Examining log messages might provide insight into the failing operation.
- Open the FME Server configuration file, fmeCommonConfig.txt, located in the subdirectory Server of your FME Server install directory.
- Under the Security Management heading, locate the parameter SECURITY_DEBUG and set it to true.
-
Restart FME Server.
- Examine the log files for additional information pertaining to Active Directory operations.
Use the Active Directory Configuration Tool
Bundled with your FME Server installation is an Active Directory configuration utility, located at:
<FMEServerDir>/Utilities/ActiveDirectoryConfigurationConsole.bat
This utility allows you to test various Active Directory configuration parameters and uses the same API to contact your domain controller and FME Server.
The utility presents the following menu options:
- Connect to an Active Directory server
- Browse the Active Directory
- Test NT user authentication
- Apply settings for use in FME Server
This allows you to test connection parameters and verify that a connection to an Active Directory server can be established.
This allows you to verify that all directory browsing options are functioning properly.
This allows you to test authentication using standard NT username/password.
This outputs the set of configuration parameters used in this utility. Follow the on-screen instructions to migrate these parameters into the FME Server configuration file.