Question

SSO cross domain users

  • 15 March 2018
  • 2 replies
  • 3 views

Badge

Hi all,

I’ve a question regarding single sign on into FME Server.

I’ve installed FME Server on a domain (let’s call it “Domain A”) and I’ve configured the SSO for the users in the Domain A. I’ve tried to log in on a client using right domain A account and then, using Internet Explorer, I’ve logged into FME Server in SSO mode and It works fine.

Now I have another domain (let’s call it “Domain B”) trusted with Domain A in bidirectional mode.

In FME Server I added the connection to the Domain B’s Active Directory and imported the users from this domain.

I tried to log in on a client using right Domain B account and then, using Internet Explorer, I logged into FME Server in SSO mode but it not works.

The returned message is “You are not authorized to access this web application”

Can someone tell me if I need to set principal name, using the setspn command, also in the Domain B?

Thanks in advance

Roberto


2 replies

Badge +2

Hi @roberto

 

 

After importing domain B user's into FME Server - do you have users from both A and B imported?

 

Are you able to sign in (without SSO) using user details from both domains?

 

Can you sign using SSO to any users from Domain A or B?

 

 

Do you see any errors in the fmeServer_* log files - look for messages with '(Active Directory)' or '(Single Sign-On)'. These files are located in <FMEServerDir>/Logs

 

Active Directory in 2017+ is case senstive for user credentials, I don't know if there's any way you can confirm that what is being sent/used to sign in, maybe there's something unexpected going on there.

 

 

I'm not sure that this is a configuration that we've tested - so at the moment cannot confirm if you should expect to be able to do this. However, SSO is currently not supported for multiple domains - I will get clarification if this includes bi-directional modes.

Badge

Hi Jennifer,

thanks for your input. We checked what you suggested.

So far the issue seems to be not solved. I will ask the sysadmin to check again with additional use/cases and let you know.

Reply