A new Flexera Community experience is coming on November 25th, click here for more information.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

FNMS Account Authentication

How does FNMS Authenticate user from active directory?

Since the passwords are not part of the objects that are brought in via the adldap, how does FNMS verify that the details the user is logging in with are correct?

https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/What-Active-Directory-data-elements-are-imported-by-FlexNet/ta-p/6030

We have had instances where access is granted to accounts brought in via a beacon (AD) but they still could not log in to the FNMS portal.

 

(11) Replies

Hi @sibusison7 , 

I assume you are using FNMS OnPremise. After AD connection on the beacon brings in the users, you need to create the account for users that should be accessing FNMS. Here is the documentation link for it: https://docs.flexera.com/FlexNetManagerSuite2021R1/EN/WebHelp/index.html#tasks/Accounts-Create_Acc_onPrem.html

You will see the following in the documentation link, which will answer your question about how does FNMS authenticate users: 
Operators throughout your enterprise may log in to interactive accounts using Windows authentication (using the accounts saved in Active Directory); or, if your enterprise has implemented single sign-on with a SAML 2.0-compliant tool, authentication may use your chosen identity provider, such as Okta. The two modes cannot be mixed. 

I hope this helps.

Thanks!

Ex-Flexera

Hi,

 

Thank you for this, and the documentation does help. However we have the accounts created in FNMS and given the standard "Operator" role. in additional to that the windows authentication ports have also been opened, that is 636, 389. 

Are there perhaps any additional port that need to be opened?

@sibusison7 - What error are your users seeing in their browser when they attempt to access the FNMS web site?  What specific browser are they using?

The browser prompt for creds as normal but after the user enters details the login window reappears. (Please see attached)

We've tested this on Google chrome and IE with the same results.

 

That seems to be an invalid URL.  The URL that should be used to log into FlexNet Manager will be something like:

https://servername/suite

We have tested several links to the application server with the same results.

https://servername/Suite
https://servername/Suite/Management/Dashboard

The 1st link redirects to the dashboard.

The first URL is correct.  Putting in a URL of https://dcpflexapp01/suite
and then putting in your AD Credentials should launch the Management Dashboard.  That is the only entry point into the FNMS Web UI.

That is correct. However the Management Dashboard does not launch, instead the login window prompts again.
It there a way that we can perhaps audit the login attempt? we're not seeing anything in the WebUI log either?

Also is there documentation that details how the authentication happens when logging in to FNMS?

If you are getting a 401/Unauthorized error, tt likely means may also mean that this specific AD Account has not been properly set up an an operator within FNMS.  If you log into FNMS as an Administrator and go to the Account page and search for that AD Account, do you see it listed as an Account within FNMS and has it been assigned to an FNMS Security Role?

If the logon prompt in the browser is popping up again, that normally means that the Logon/Password credentials being entered into the browser are not being accepted by Active Directory.

@sibusison7 I also faced this issue, I enabled Anonymous authentication on iis later didn't  get to see this again. 

@kclausen I'm having a similar issue, and the account has administrator privileges also. The user is unable to login via chrome (it prompts for login and doesn't accept the credentials) however, can login using Edge but everytime the page refreshes, it asks for the login (and closing the login screen works but annoys the user). Kindly advise.

 

I understand that with the Windows authentication enabled and the account with the appropriate role if login using any browser, the windows authentication takes the default local credentials and automatically log the user without prompting for the credentials.