Known Issue: Single Sign-On fails with WARN 'No SASL mechanism was specified in configuration'

Issue

When you create a new Active Directory Connection in FME 2021 you are able to log in to FME Server by manually typing in your user credentials, but when you attempt to use single sign-on log in fails, in the fmeserver.log  (<FMEServerSystemShare>\Resources\Logs\Core\Current) there are warnings that FME cannot use SASL because the configuration is incomplete: 
 

(Directory Server) No SASL mechanism was specified in configuration.
...
(Directory Server) Not using SASL for authentication, because configuration is incomplete.
(Directory Server) Configured to use simple authentication.
(Directory Server) Successfully connected to 10.1.152.55.
(Single Sign-On)   Using pre-authenticated credentials (for a service account) to create server credentials...
(Single Sign-On)   Created server credentials.
(Single Sign-On)   Negotiation complete; authentication granted for user "user@domain".
Failed login by user YIIG8QYGKwYBBQUCoIIG5TCCBuGgMDAu... due to insufficient credentials.

Cause

There is a bug in the Web UI when creating an Active Directory Connection. When you 'Enable Single Sign-On' the Authentication Type says 'Basic' and if you save the connection and view it again, the Authentication Type is updated to say 'SASL' but the SASL Mechanism says 'Select a choice' but is greyed out. 

To use SSO the Authentication Type must be SASL and it must use GSSAPI as the mechanism, due to this GUI bug, the mechanism is undefined and authentication cannot complete successfully. 

Workaround

Remove the Connection and recreate it using the REST API POST /security/ldap/servers.

1. Under Directory Servers select the existing connection and 'Remove'
2. In the top-right corner select Help > REST API
3. In the top-right corner select Get Token and enter your admin credentials
4. Go to the API tab and under Security find POST /security/ldap/servers, configure all the required parameters: 
   • authentication=SSO
   • host
   • name
   • port
   • saslMechanism=GSSAPI
   • searchUser
   • searchUserPassword
   • ssoPassword
   • ssoUsername
5. Click 'Try it out!' and a 201 response should be returned
6. Return to FME Server to view the new connection, import your AD users/groups and check you can now access FME Server via SSO. 

Alternatively, you could call the REST API using Postman, HTTPCaller in FME Workbench or another API application. 

Troubleshooting

If you are experiencing issues please consult our IWA/SSO troubleshooting Guide, if this does not resolve your problem then contact Safe Software Support. When contacting support please provide a copy of the fmeserver.log.