This post is another that comes from Jeff Cutting, a lead developer of FRx.
It was originally posted as an answer to a question about FRx Security, Solomon and SP10 (in my SP10 post), but there is plenty of non-Solomon specific information. I thought it valuable enough to have its own post! Thank you Jeff. —Jan
I’m going to give an overall explanation of FRx security to help anyone that might be interested (for any GL), and then I will drill into the specifics for Solomon.
Before I get started, I’d like to clear up one thing – we NEVER require db_datawriter for direct SQL users with FRx, so that KB article is incorrect.
There are two different types of security involved when you’re using FRx. One is your GL system’s security, the other is FRx security.
GL system security is in place regardless of the state of FRx security. When you select a company in FRx, we authenticate you with your GL system. The way we do that is different with each GL, but this typically requires credentials to be entered. For some GLs, direct database access is required, so you enter a SQL login and password. Other GLs provide their own security methods that we use, and those typically require a login and password for that GL system.
When FRx security is NOT turned on, any user can start FRx and access demo companies, report definitions, etc. When you select a GL company, you are asked for credentials. The login dialog will have a title of “Database Login for Company “. These credentials are used to access your GL system. Once you enter valid credentials, the company is set as default, and FRx allows you to continue.
When FRx security is turned on, the first thing you will see when you start FRx is a login dialog. This dialog will have a title of “Security Login”. If you don’t enter valid credentials here, you aren’t allowed to use FRx.
Now here’s where people often (understandably) get confused. When you select a GL company after logging in to FRx security, FRx tries to do help you out by passing your FRx credentials straight through to authenticate you with the GL. If your FRx credentials and GL credentials match up (many customers do this), you login only once to access everything. However, if your FRx and GL credentials do not match, you will see a login failure – we tried to authenticate with the GL, and it didn’t work. When you click OK, you will see another login dialog, this time with a title of “Database Login for Company “. Once you enter your GL credentials here, you’re allowed into the company.
What I’ve explained to you so far is the way FRx has worked since FRx 5.x and it still works this way today. Of course, we’ve done some things in FRx 6.7 to make this even better.
As of 6.7 SP3 or SP4 (I can’t remember which), FRx can use Windows authentication to connect to a GL system that uses standard SQL users (Solomon doesn’t). If you choose Windows authentication when configuring the ODBC datasource for your company, FRx will suppress the login dialog for the company and attempt to connect directly to the database with your Windows credentials. With this configuration, you either enter just FRx credentials and you go straight into your companies, or you enter no credentials at all (if FRx security is not enabled).
So now we’ve come to Windows authentication and SP10. As you’ve noticed, you no longer see the Use Network ID option in FRx 6.7 SP10. For several years, I have been telling any customer using FRx security to avoid that option. It was added back in the Windows 9x days, and it’s simply not secure past Windows 9x – I’ll leave it at that. For SP10, I finally got to remove it, which made me quite happy.
With SP10, you can now add users directly from Windows. We allow multiple scenarios for this:
1) Add a new Windows user by creating a new user, choosing Windows authentication, and then selecting the user.
2) Convert an existing FRx application user by selecting the user, choosing Windows authentication, and then selecting the user.
3) Add multiple Windows users at once by clicking the Add Windows Users button – you can choose several users, click OK, and we’ll create new FRx accounts for each one.
4) Upgrade from Use Network ID to Windows authentication. After SP10 is installed, any FRx administrator that logs in will be asked to map network users to Windows users.
When you convert an existing FRx user to a Windows user, FRx even updates groups, reporting trees, catalogs, and specification set security for that user. Please note, however, that the user must still use their old credentials to access previously-generated reports in the DrillDown Viewer.
Once your Windows user is added in FRx, you can choose “Use Windows authentication” in the Security Login dialog the first time you log in, and from that point forward, you’ll get right in when you start FRx. Please note, however, that FRx will still try to pass your FRx credentials (now a Windows user and no password) straight through to the GL. If that fails (it probably will), just click OK, then enter your GL credentials.
Now for the Solomon specifics …
When you set up a Solomon company, you’re asked to provide the master password. FRx uses the master login (’master’ for older versions of Solomon, ‘master60sp’ for newer releases) and the password you provide to connect to the SQL Server and Solomon database. From there, we use the credentials you provide in the “Database Login for Company ” dialog to authenticate you with Solomon. If the user you enter in that dialog does not exist in Solomon, you won’t get in. The error you’re currently seeing tells me that FRx isn’t able to connect to the SQL database. Make sure you’re logged into FRx as an FRx admin, then edit the company, go to the System Specific Information tab, and enter the password for the ‘master’ SQL user.
I should also point out that the Dynamics SL (formerly Solomon) team added Windows authentication in their 7.0 release, and we support their implementation of Windows authentication in SP10. To use Windows authentication to connect to Dynamics SL 7.0, just edit the company in FRx and select the “Use Windows authentication” check box on the System Specific Information tab.
That’s pretty much it. I apologize for the length of this post, but I hope the details will help anyone who happens to find this.
**This posting is provided “AS IS” with no warranties, and confers no rights.**