Overview
In August release 23.8, users might see an error like: "The system cannot contact a domain controller to service the authentication request…" when logging in to a vault.
Details
The issue is seen because M-Files Desktop Client has been updated to use a newer protocol for Windows authentication. It now defaults to Kerberos, it used to default to NTLM, but Kerberos is considered more secure and so the update was made, and there are no plans to roll it back.
Thus, this issue can occur in the following circumstances:
- Vault connection is made as Current or Specific Windows user, without federated authentication. This limits the issue to on-premises setups since Windows authentication doesn't work in cloud.
- The client computer is not connected to the Windows domain network.
- The connection protocol is other than TCP/IP. (Switching to TCP/IP doesn't help, rather it has used the new authentication protocol for longer and would have faced this issue earlier.)
Solution/workaround
There are a few ways to avoid this situation:
- Use Federated Authentication (OAuth)
- Use M-Files Login account
- Connect the client to the Domain Network
- Use the Web Client
- Switch back to NTLM
- Notes on API usage
Use Federated Authentication (OAuth)
You can use Federated Authentication (OAuth) to avoid this issue.
In such setup, the client contacts the IDP (identity provider, such as AAD) and not the domain controller.
For details on setting this up, start from the Vault Authentication article: https://userguide.m-files.com/user-guide/latest/eng/document_vault_authentication.html
Use M-Files Login Account
Use of M-Files internal authentication could be used as a workaround if the registry setting below is challenging to manage, or a small number of users need a quick way in until other methods can be implemented. To do this, create a new login account that uses M-Files Authentication and assign it to the vault user account, so that these users will login with an M-Files user+password, not against Windows and the domain controller.
Connect the client to the Domain Network
The issue would mostly affect people working from home or other externals who are not connected to the company (domain) network.
Thus, the primary solution would be to use VPN. Connection to the domain network is required for most secure Windows authentication.
Use the Web Client
Depending on the setup (e.g., if the users have access to the web client, whether it is set up in the first place), that may be used as a path forward, at least temporarily.
With the web client, the login happens on the IIS server and the M-Files server, so if those servers have connection to the domain controller, the login can succeed.
Switch back to NTLM
If the better options above cannot be used, the M-Files Desktop Client can be forced to ask the OS to use the older NTML protocol.
Important Notes:
- For security reasons, reverting to NTLM is not considered to be a good practice, so we hope that you have explored all the other options before taking this route.
- Microsoft has announced that it will be deprecating NTLM in Windows 11. The schedule for deprecation is not known, but this means that reverting to NTLM might not be usable for a very long time period.
This can be done by creating a registry setting "SPN":"NTLM" on the client machine and restart M-Files Client service:
Registry Key: HKEY_CURRENT_USER\Software\Motive\M-Files\{version}\Client\MFClient\Vaults\{vaultname}
Value name: SPN
Value type: String value
Value data: NTLM
Note: The same workaround should work for M-Files Admin tool (server tool), This can be done by creating the same registry setting "SPN":"NTLM" under the MFAdmin key:
Registry Key: HKEY_CURRENT_USER\Software\Motive\M-Files\{version}\ServerTools\MFAdmin\Servers\{servername}
Value name: SPN
Value type: String value
Value data: NTLM
Notes on API Usage
If you are using the M-Files API, you can define the protocol in the connection creation - you can set it to NTLM.
See the following article and the "SPN" argument - you can set it to "NTLM": https://developer.m-files.com/APIs/COM-API/Reference/#MFilesAPI~MFilesServerApplication~ConnectEx3.html
