Re: FNMS Account Authentication

sibusison7 · ‎Mar 04, 2022

How does FNMS Authenticate user from active directory?

Since the passwords are not part of the objects that are brought in via the adldap, how does FNMS verify that the details the user is logging in with are correct?

https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/What-Active-Directory-data-elements-are-imported-by-FlexNet/ta-p/6030

We have had instances where access is granted to accounts brought in via a beacon (AD) but they still could not log in to the FNMS portal.

Alpesh_Gohil · ‎Mar 06, 2022

Hi @sibusison7 ,

I assume you are using FNMS OnPremise. After AD connection on the beacon brings in the users, you need to create the account for users that should be accessing FNMS. Here is the documentation link for it: https://docs.flexera.com/FlexNetManagerSuite2021R1/EN/WebHelp/index.html#tasks/Accounts-Create_Acc_onPrem.html

You will see the following in the documentation link, which will answer your question about how does FNMS authenticate users:
Operators throughout your enterprise may log in to interactive accounts using Windows authentication (using the accounts saved in Active Directory); or, if your enterprise has implemented single sign-on with a SAML 2.0-compliant tool, authentication may use your chosen identity provider, such as Okta. The two modes cannot be mixed.

I hope this helps.

Thanks!

Ex-Flexera

sibusison7 · ‎Mar 12, 2022

Hi,

Thank you for this, and the documentation does help. However we have the accounts created in FNMS and given the standard "Operator" role. in additional to that the windows authentication ports have also been opened, that is 636, 389.

Are there perhaps any additional port that need to be opened?

kclausen · ‎Mar 14, 2022

@sibusison7 - What error are your users seeing in their browser when they attempt to access the FNMS web site? What specific browser are they using?

sibusison7 · ‎Mar 14, 2022

The browser prompt for creds as normal but after the user enters details the login window reappears. (Please see attached)

We've tested this on Google chrome and IE with the same results.

kclausen · ‎Mar 14, 2022

That seems to be an invalid URL. The URL that should be used to log into FlexNet Manager will be something like:

https://servername/suite

sibusison7 · ‎Mar 14, 2022

We have tested several links to the application server with the same results.

https://servername/Suite
https://servername/Suite/Management/Dashboard

The 1st link redirects to the dashboard.

kclausen · ‎Mar 14, 2022

The first URL is correct. Putting in a URL of https://dcpflexapp01/suite
and then putting in your AD Credentials should launch the Management Dashboard. That is the only entry point into the FNMS Web UI.

sibusison7 · ‎Mar 14, 2022

That is correct. However the Management Dashboard does not launch, instead the login window prompts again.
It there a way that we can perhaps audit the login attempt? we're not seeing anything in the WebUI log either?

Also is there documentation that details how the authentication happens when logging in to FNMS?

kclausen · ‎Mar 14, 2022

If you are getting a 401/Unauthorized error, tt likely means may also mean that this specific AD Account has not been properly set up an an operator within FNMS. If you log into FNMS as an Administrator and go to the Account page and search for that AD Account, do you see it listed as an Account within FNMS and has it been assigned to an FNMS Security Role?

If the logon prompt in the browser is popping up again, that normally means that the Logon/Password credentials being entered into the browser are not being accepted by Active Directory.

ReshmaB · ‎Aug 23, 2022

@sibusison7 I also faced this issue, I enabled Anonymous authentication on iis later didn't get to see this again.

TMGSLM · ‎Aug 23, 2022

@kclausen I'm having a similar issue, and the account has administrator privileges also. The user is unable to login via chrome (it prompts for login and doesn't accept the credentials) however, can login using Edge but everytime the page refreshes, it asks for the login (and closing the login screen works but annoys the user). Kindly advise.

I understand that with the Windows authentication enabled and the account with the appropriate role if login using any browser, the windows authentication takes the default local credentials and automatically log the user without prompting for the credentials.