Single Sign-On Authentication Failure (Cross-Domain User)

Log file messages:

(Single Sign-On) Negotiation complete; authentication granted for user "...".

(Single Sign-On) Failed authentication because user "..." could not be found in Active Directory.

Cause 1

Single sign-on authentication was attempted and succeeded, but the user does not exist in the configured Windows domain.

Resolution 1

Ensure that the user account used to log into the client machine is a part of the Windows domain that FME Flow is configured to use.

For example, if FME Flow is configured to use Active Directory for 'Domain1', clients logged in using a 'Domain2' user account will not be able to authenticate with FME Flow.

Cause 2

Single sign-on authentication was attempted and succeeded, but FME Flow did not have the right privileges to find the user. This may be caused by the service account setting 'Do not require Kerberos preauthentication'.

Resolution 2

Kerberos pre-authentication must be enabled for the service account. See Updating the Windows Domain Configuration for information on how to configure the service account.