Creating an Authentication Service Connection
- On the Authentication Services page, ensure the applicable tab is active, depending on the authentication service type to which you want to connect:
- Windows Active Directory; or
- Generic Directory: Other LDAP-based directory
- Click New. The Create New Server Connection page opens.
- Complete the fields below, then click OK.
- When finished, proceed to Adding Users and Roles from an Authentication Services Connection.
Create New Server Connection
- Name: Provide a name for the connection.
- Host: The host name or IP address of the authentication service that functions as a domain controller. Round-robin or other load balancing domain controllers are not supported; however, Alternate Servers may be specified below (under Optional fields).
- Select File > Connect..., and click OK, leaving all values blank.
- If AD Explorer successfully connects to Windows Active Directory, the host name is printed in square brackets.
- Open a command prompt (cmd.exe) via the Start menu.
- Type gpresult /r to display the policy information for the current user.
- The authentication service appears under 'Group Policy was applied from'.
- Port: The port that is used to communicate with the authentication services. Most common Windows domain configurations use port 389 or 636.
- Connection Encryption: The encryption method to use when authenticating with the authentication service.
- None: No encryption
- SSL/StartTLS: Communication is over secure sockets layer (SSL). If StartTLS is specified, SSL/TLS communication is initiated using the STARTTLS command.
- Search Account Name: A Windows Service Account to use for importing authentication service users and groups into FME Server. This account requires read access to the domain controller.
- From AD Explorer, connect to the Active Directory.
- Browse for and select the entry representing the account.
- The service account name appears under the sAMAccountName' attribute.
- Search Account Password: The password of the authentication Service account.
- Account Name Attribute: If the active tab is Generic Directory, the directory attribute to use for user account login in FME Server. Typical attributes are UID, mail, or CN.
- Group Name Attribute: If the active tab is Generic Directory, the directory attribute to use for role name in FME Server. A typical attribute is CN.
- User Class: If the active tab isGeneric Directory, the objectClass attribute value that identifies directory users. This value must be consistent for all users, as it is used to search for users in the authentication service. Typical attribute values are inetOrgPerson and organizationalPerson.
- Group Class: If the active tab is Generic Directory, the objectClass attribute value that identifies directory groups. This value must be consistent for all groups, as it is used to search for groups in the authentication service. A typical attribute value is groupOfNames.
Note: If Authentication Type (below) is SASL, and Host is an IP address, you must also specify a Realm.
From AD Explorer:
From a domain computer:
Note: To use a certification authority (CA) certificate for SSL authentication, see Importing a CA Certificate for SSL Connections.
Specify the account in any of the following formats:
Format |
Syntax |
Example |
---|---|---|
NT Login | DOMAIN\username | MYCOMPANY\User1 |
User Principal Name | username@domain.net | User1@MYCOMPANY.INTERNAL |
Distinguished Name | CN=...,OU=...,DC=... | CN=User One,OU=Service Accounts,OU=My Company,DC=company,DC=internal |
Authentication
- Authentication Type: Specify the method of authenticating with the authentication Service:
- Basic: SASL authentication is not enabled.
- SASL: Enables simple authentication and security level (SASL).
- SASL Mechanism:
- GSSAPI: Kerberos V5 authentication
- GSS-SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism
- EXTERNAL: Context-implicit authentication
- DIGEST-MD5: MD5 message digest
- SASL Mechanism:
- Enable Single Sign-On: If the active tab is Windows Active Directory, this setting, if checked, allows users imported from this connection to auto-connect to FME Server with their Windows credentials.
- Service Account Name: The name of the Windows Service Account to configure for single sign on, in the format USERNAME (do not specify DOMAIN).
- From AD Explorer, connect to the Active Directory.
- Browse for and select the entry representing the account.
- The service account name appears under the sAMAccountName' attribute.
- Service Account Password: The Windows service account password.
Note: To use Single Sign-On, you must also update your Windows domain and web browser configurations. For more information, see Configuring Integrated Windows Authentication.
Optional fields
- Enable Synchronization: When checked, the connection synchronizes with the authentication service at specified intervals. Information that synchronizes includes:
- Relationships between users and groups. For example, consider User_1 who belongs to Group_1 in FME Server because of a corresponding relationship in the authentication service. If that relationship is subsequently broken in the authentication service, the relationship between User_1 and Group_1 will break in FME Server after the next synchronization interval. Likewise, if an authentication service user changes groups, that change will synchronize in FME Server.
- Name changes to user accounts on the directory server.
- Synchronization Interval: Specify the desired frequency of synchronization.
- KDC Host: If the active tab is Windows Active Directory and SASL Mechanism is GSSAPI, specify the host name or IP address of the Kerberos key distribution centre (KDC). If not specified, the KDC is assumed to be located on the same server as the Active Directory domain controller.
- Realm: If the active tab is Windows Active Directory and SASL Mechanism is GSSAPI or DIGEST-MD5, specify the authentication realm for Kerberos V5 or MD5 message digest authentication. On Active Directory, the authentication realm is the domain name. Specify the capitalized version of the domain name, in its fully-qualified domain name (FQDN) form. For example, if the FQDN is domain.net, use DOMAIN.NET. If not specified, the authentication realm is assumed to be the domain name of the Active Directory Domain Controller.
- Open a command prompt (cmd.exe) via the Start menu.
- Do either of the following:
- Type echo %USERDNSDOMAIN% to display the USERDNSDOMAIN environment variable.
- The FQDN will print.
- Type net config workstation to display the network settings for the computer.
- The FQDN appears under the 'Workstation Domain DNS Name' field.
- Open 'Active Directory Domains and Trusts' from the Start menu.
- In the console tree (left-hand column), a list of Windows domains are listed by their FQDNs.
- Search Bases: Specify the distinguished name of a section (sub-tree) of the authentication service that is accessible to the connection. Any sections not specified are not accessible. If not specified, the entire directory is accessible.
- From AD Explorer, connect to the Active Directory.
- Browse the directory to determine the location of all users and security groups to be provided access to FME Server.
- Select an entry to be used as the naming context.
- The distinguished name appears under the 'distinguishedName' attribute.
- Alternate Servers: Enables FME Server to access the authentication service using alternate Host and Port combinations. This setting may be useful in either of these situations:
- The authentication service can be accessed from multiple, redundant servers. FME Server uses these servers to access the authentication service in a rotating manner, which distributes the load across them.
- If one authentication server is inaccessible, FME Server connects to one or more alternate servers.
- Account Name Attribute: If the active tab is Windows Active Directory, the Active Directory attribute to use for user account login in FME Server. For Windows, leave blank to use the account's pre-Windows 2000 login name (sAMAccountName).
- Account Member Attribute: If the active tab is Generic Directory, the authentication service attribute that contain a user account’s group membership. This attribute is not present in all authentication services. However, if present, it can make directory access more efficient. A typical attribute is memberOf.
- Group Name Attribute: If the active tab is Windows Active Directory, the attribute to use for the role name in FME Server. For Windows, leave blank to use the group's pre-Windows 2000 group name (sAMAccountName).
- Full Name Attribute: The authentication service attribute to use for the user account’s full name in FME Server. If the active tab is:
- Windows Active Directory: Leave blank for Windows to use displayName.
- Generic Directory: A typical attribute is displayName.
- Email Attribute: The authentication service attribute to use for user account's email address in FME Server. If the active tab is:
- Windows Active Directory: Leave blank for Windows to use the account's email address (mail).
- Generic Directory: A typical attribute is mail.
Note: When synchronization occurs, FME Server ensures any authentication services name change does not break the user's connection to FME Server. However, FME Server does not update the user's login name (Username) or display name (Full Name).
Note: If Enable Synchronization is not checked, you can still synchronize the connection manually after it is created. For more information, see Performing Other Tasks on Authentication Services Connections (Windows Active Directory, Other LDAP-based Directory, or Azure Active Directory).
Note: If Host is an IP address, you must specify a Realm.
OR:
To add a Host and Port combination, click +. To remove a Host and Port combination, click -.
When you import user accounts from an Azure AD server, your users can authenticate with FME Server using their Azure AD credentials when they:
- Log in directly to FME Server.
- Publish workspaces from FME Desktop to FME Server, or authenticate in transformers, readers, or writers.
Note: Additional configuration between FME Desktop and Azure AD is required. For more information, see Create an FME Server Azure Active Directory Web Connection in FME Desktop.
Getting Started
In order for FME Server to communicate with Azure AD, you must create and register FME Server as an enterprise application in Azure AD. Follow the procedure in Configuring Azure Active Directory with FME Server. When finished, proceed as follows:
On the Authentication Services page, ensure the Azure Active Directory tab is active, and click New. The Create New Azure AD Tenant page opens. Complete the fields below, then click OK. When finished, proceed to Adding Users and Roles from an Authentication Services Connection.
- Name: Provide a name for the connection.
- Tenant ID: The Directory (tenant) ID that applies to the FME Server registration.
- Tenant Type: Whether the tenant for this connection is a Primary or Secondary tenant. Secondary can be specified only if FME Server is registered in Azure AD to support multiple tenants. Additionally, both of the following conditions must be fulfilled in Azure AD:
- The tenant is granted secondary tenant access to FME Server.
- FME Server is granted access to the users and groups of the secondary tenant.
For more information, see Granting Secondary Tenant Access to FME Server in Azure AD.
- Client ID: The Application (client) ID that was generated for the FME Server registration.
- Client Secret: The client secret value of the registered app. (The secret ID is not required.)
- Enable Synchronization: When checked, the connection synchronizes with the authentication service at specified intervals. Information that synchronizes includes:
- Relationships between users and groups. For example, consider User_1 who belongs to Group_1 in FME Server because of a corresponding relationship in the authentication service. If that relationship is subsequently broken in the authentication service, the relationship between User_1 and Group_1 will break in FME Server after the next synchronization interval. Likewise, if an authentication service user changes groups, that change will synchronize in FME Server.
- Name changes to user accounts on the directory server.
- Synchronization Interval: Specify the desired frequency of synchronization.
Note: When synchronization occurs, FME Server ensures any authentication services name change does not break the user's connection to FME Server. However, FME Server does not update the user's login name (Username) or display name (Full Name).
Note: If Enable Synchronization is not checked, you can still synchronize the connection manually after it is created. For more information, see Performing Other Tasks on Authentication Services Connections (Windows Active Directory, Other LDAP-based Directory, or Azure Active Directory).
What's Next?
Proceed to Adding Users and Roles from an Authentication Services Connection.