You are here: Administrator's Guide > Securing FME Server > Configuring Integrated Windows Authentication > Updating the FME Server Configuration

Updating the FME Server Configuration

To update the FME Server configuration to enable Integrated Windows Authentication (IWA, or "single sign-on") involves the following steps:

  1. Specify the service account and enable single sign-on in the FME common configuration file (fmeCommonConfig.txt).
  2. Enable single sign-on in the Web User Interface configuration file (propertiesFile.properties).

Updating fmeCommonConfig.txt

This configuration file is located at <FMEServerDir>/Server/fmeCommonConfig.txt

  1. Under the 'Security Management' heading, set:

    2. SECURITY_DEBUG=true

  2. Under the 'Authentication' heading, set:

    3. #SECURITY_LOGIN_TYPE=database

    SECURITY_LOGIN_TYPE=activedirectory

    SECURITY_AD_USE_SASL_AUTHENTICATION=true

    SECURITY_AD_SASL_OPTION_MECHANISM=GSSAPI

    SECURITY_AD_PREAUTH_USERNAME=<service account name>

    Note: Specify only a service account name for the SECURITY_AD_PREAUTH_USERNAME parameter. Do not include a domain name. For example, do not specify domain_name\\user_name. Specify only user_name.

    SECURITY_AD_PREAUTH_PASSWORD=<service account password>

    SECURITY_AD_USE_SINGLE_SIGN_ON=true

Note: SASL authentication must be enabled and Kerberos V5 must be used as the authentication mechanism. Therefore, depending on your Windows domain configuration, SECURITY_AD_SASL_OPTION_KDC_ADDRESS and SECURITY_AD_SASL_OPTION_REALM may be required. For more information, see SECURITY_AD_SASL_OPTION_MECHANISM.

Updating propertiesFile.properties

When FME Server is installed using express installation, this configuration file is located at <FMEServerDir>/Utilities/tomcat/webapps/fmeserver/WEB-INF/conf/propertiesFile.properties.

  1. Set USE_SINGLE_SIGN_ON=true
  2. Verify that the SINGLE_SIGN_ON_AUTH_URL host name matches that of a service principal name (SPN). For example, if SINGLE_SIGN_ON_AUTH_URL=http://fmeserver.domain.net:80/fmetoken/sso/generate, then the host name 'fmeserver.domain.net' correctly matches that of the SPN 'http/fmeserver.domain.net'.

  3. Verify that the parameter SINGLE_SIGN_ON_AUTH_URL is set to the correct protocol. By default, http is used as the protocol. If SSL is enabled for the web application server, then update the protocol to https.