topic LDAP/IWA issues in ArcGIS Enterprise Questions

LDAP/IWA issues

AdamMcSparran — Thu, 30 May 2019 18:30:57 GMT

Hello All!

I'm looking for some help with my Windows Authentication to ArcGIS Enterprise Portal (we are using 10.6.1 at this time).

We are currently configured for IWA, but have to put our network's domain in the username portion to get the account to authenticate with Active Directory (example: networkdomain/amcsparran or amcsparran@networkdomain). Does anyone know a way that if a user from my company just types the username ("amcsparran" in this case) it will automatically default to the Active Directory domain? The goal is for users to just have to put in username and password without the domain.

Also, we've tried the LDAP route which would make this possible, but have had issues with getting it up and running...so any help in that arena would be helpful also, but my understanding is we may need a Java Web Adaptor for that to work, and right now we are running with an IIS web adaptor.

Any ideas would be fantastic!

Re: LDAP/IWA issues

RandallWilliams — Thu, 30 May 2019 19:52:44 GMT

Is your portal exposed to the outside, or just internal/VPN users? If just internal/VPN, I'd personally push out a GPO to add your portal to the list of trusted sites in IE. That way you should get a single signon experience and won't need to manually pass credentials at all, as long as you're logged into the domain.

Re: LDAP/IWA issues

AdamMcSparran — Thu, 30 May 2019 19:57:35 GMT

Hi Randall,

It is open to the outside. I only want users who are on our domain to access Portal, but I want some of my applications and layers to be open to everyone (for say an Open Data Portal). I've been looking at the SAML single sign on option, but I thought I had read somewhere that I cannot use built-in logins as well as SAML. I have Field Workers who are not in Active Directory that use applications in the field, and I want them to be able to access as well. Not to mention we have public facing applications in the works as well. If I can do all that with SAML, then I'm in.

Re: LDAP/IWA issues

RandallWilliams — Thu, 30 May 2019 20:22:40 GMT

I'd strongly recommend SAML over IWA in a situation where you need to share some services to the public but keep others private. You can support both built in and domain users with SAML, but not with IWA.

SAML is by far your best option here. You can even support multi-factor auth with Portal if your SAML provider can support it.

Re: LDAP/IWA issues

AdamMcSparran — Thu, 30 May 2019 20:41:06 GMT

Awesome! Apparently I've gotten some bad information in the past. Going to go forward with SAML.

Thanks Randall!