topic Both single sign-on and anonymous access to Portal for ArcGIS (10.4) in ArcGIS Enterprise Portal Questions

Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

ChristineLarsen — Tue, 24 May 2016 07:06:37 GMT

We've set up our Portal environment using Integrated Windows Authentication (IWA) giving our user a single sign-on experience using Windows Active Directory (AD). The problem we're facing is that any content being accessed by someone without a name user are asked to log on to the Portal even though the content is shared with "everyone".

We want our named users to have the full Portal experience whereas our non-named users should only have access to content that are shared with "everyone". Is there a way to configure both single sign-on and anonymous access to the Portal?

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

JonathanQuinn — Tue, 24 May 2016 16:50:44 GMT

You can install another web adaptor and leave the authentication at Anonymous and then make sure that "Allow anonymous access to your portal" is enabled. Please note that the recommendation is to disable anonymous access.

I apologize for the misleading information, but after a bit more research and discussion, this is NOT possible. In order to register two different web adaptors with Portal, you need to set the Web Context URL:

This defines an entry point into the Portal, and in the case of multiple web adaptors, it's meant to be a load balancer that can balance requests to the web adapters. Setting the Web Context URL also disables this error from coming up, so you can actually register multiple different web adaptors to Portal, even if you don't intend on using the web context URL to balance requests to them. This may make it seems like you can have multiple web adaptors with different security settings, but that's not the case. To put this in perspective, let's say you have a Portal you want configured with IWA, and you set the Web Context URL to point to a reverse proxy that then points to a web adaptor that is open, for example https://public_portal.domain.com/open. This allows anonymous access. You have a separate web adaptor configured with IWA that's accessible through your internal network, so domain users can sign in and create content, accessible through https://internal_portal.domain.com/iwa. Since only named users create content, all items are created with the URL set to https://internal_portal.domain.com/iwa. When named users create content, the URL for those items are going to point to https://internal_portal.domain.com/iwa, so when external users reach the portal through https://public_portal.domain.com/open, all items will reference https://internal_portal.domain.com/iwa, and they won't be able to reach the item as they can't be authenticated correctly. We are going to update the documentation to explain this further. I'm also interested in how Adam from that other post configured his Portal.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

PaulDavidson1 — Sat, 28 May 2016 18:54:25 GMT

Hey Jonathan:

When you get a chance, could reply to my question regarding this scenario in thread:

Portal Login Issues or Limitations?

I think these are basically duplicate threads and I have been told by Esri that Portal can only have one WA.

Thanks...

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

JonathanQuinn — Mon, 06 Jun 2016 18:10:16 GMT

Paul, not sure if editing a post gives you a notification, but let me know if my updated post makes sense.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

GISSupport3 — Thu, 09 Jun 2016 05:24:11 GMT

What version is this supported at? Thanks.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

JonathanQuinn — Thu, 09 Jun 2016 20:35:52 GMT

This currently isn't possible at any released version. There's no way to have different entry points into a Portal, as the items contain pointers to only one URL. You'll need to look into using SAML as Randall and a few others mentioned in this thread. Someone did report some success when using two web adaptors, but testing internally, there were certain workflows that failed due to having multiple entry points with different security mechanisms.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

ChristineLarsen — Mon, 13 Jun 2016 06:47:08 GMT

Thank you for the feedback. By adding the portal server to trusted sites in IE, we've been able to get rid of the pop-up sign-in window for domain users without a named user license in portal. They are now able to access the content that is shared with everyone.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

PaulDavidson1 — Mon, 13 Jun 2016 23:14:51 GMT

Thanks for the detailed update above. Makes sense!

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

GISSupport3 — Tue, 14 Jun 2016 01:16:01 GMT

That's a shame.

Like others, we would like one Portal with multiple authentication access:

- public, no login, viewe data shared with everyone

- company, login, view data shared with Portal

- user (named), login, view data shared with groups

- other?

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

AdamRepsher — Mon, 18 Jun 2018 16:24:15 GMT

Christine Larsen‌ - Do you have a Single Sign-On environment for users in Active Directory (don't have to log in to Portal) and anonymous access?

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

nelsmickaelson — Thu, 17 Oct 2019 14:46:59 GMT

Did you get this question answered?

Is it possible to have a Single Sign-On environment for users in Active Directory (don't have to log in to Portal) and anonymous access?

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

JonathanQuinn — Thu, 17 Oct 2019 17:18:07 GMT

It's possible if you set up a SplitDNS type approach. Public users are routed to an external entry point, (https://portal.domain.com/portal) that's configured with anonymous access, while internal users are routed to an internal entry point with the same FQDN (https://portal.domain.com/portal). This entry point is configured with IWA.

Aside from that, SAML is your best bet.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

Anonymous User — Fri, 13 Dec 2019 04:00:56 GMT

Hi Jonathan Quinn, are you able to please provide more info on how to go about this with a split DNS? I'm trying to do just that (two web servers, one internal with IWA and one external with anon auth). I have set WebContextUrl but I when I install the second Web Adaptor it replaces the first.

I also note in the 10.7 docs that:

Portal for ArcGIS only supports a single DNS.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

JonathanQuinn — Thu, 19 Dec 2019 17:14:50 GMT

I'm assuming that the note meant "single FQDN", which is more appropriate.

On each Web Adaptor machine, what happens if you reach the Portal via the Web Adaptor? Does it resolve and take you to the Portal home page?

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

Anonymous User — Wed, 08 Jan 2020 21:52:32 GMT

I've since discovered that, if you register a Web Adaptor with the same URL as another, the first WA no longer appears in .../portaladmin/system/webadaptors. The first WA continues to work, at least for the first few hours (i.e. it might stop working later after the security tokens expire?). Regardless, this isn't a good solution because future admins won't see the full picture of WAs at .../portaladmin/system/webadaptors.

My solution was to set the Portal's WebContextURL property (e.g. maps.example.com/portal) and then register the WAs with unique URLs based on their machine names' FQDNs (e.g. web1.example.com/portal and web2.example.com/portal). To do this, for each IIS machine I had to:

Acquire an SSL certificate for the machine name FQDN (e.g. web1.example.com/portal),
Bind IIS to that FQDN on HTTPS (in addition to the common web context URL's FQDN),
Visit the WA config page using that FQDN (e.g. web1.example.com/portal/webadaptor),
Configure the WA as usual.

Both WAs now appear in the list because they have unique URLs. Even though the WAs are registered with different URLs, they're still accessed using the common web context URL as IIS remains bound to that FQDN as well as the machine's FQDN.

My presumption is that this is because multiple WAs would normally only be used in high availability deployments. In this scenario, all WAs would have unique URLs, and they would sit behind a load balancer using the web context URL. Therefore, all WAs are expected to have unique URLs. A split DNS needs a bit of trickery to get around this because the WAs genuinely share the same URL.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

MicahWilliamson — Fri, 23 Apr 2021 22:08:35 GMT

Hey Guys. If you're here you must be stumped. Some super smart folks in our organization have figured this out and I just want to post their findings. They are OK with me sharing it. I didn't do this, i'm simply conveying what worked for us and our client. (I'm NOT this smart)

Requirement: Allow public access to publicly-shared items in Enterprise GIS, which using IWA for internal users. Server federated w/Portal, client to publish map services, maps and apps to share, some with general public, others with internal users. Does not want anyone to have to log in (except internal users that will have to authenticate with IWA with their domain account on first access).

Software: ArcGIS Enterprise 10.8.1

Configuration:

Two Web Adaptor locations:
- Portal and Server WAs in the DMZ to be accessed by the general public, allow anonymous access
- Portal and Server WAs within the network (on the Portal box), IWA configured
Trusted sites added:
- https://maps.city.il.us/portal
- https://maps.city.il.us/server
Routing:
- Split DNS configured in Palo Alto w/assistance from <IT CONSULTANT>
- External DNS routs traffic to DMZ server
- Internal DNS routs traffic to Portal/WA server
Web Adaptor configuration:
- Installed, configured Server WAs, no complications
- Set Portal WebContextURL to https://maps.city.il.us/portal
- Installed, configured Portal WA on DMZ box, backed up WebAdaptor.config
- Installed, configured Portal WA on Portal box *from internal FQDN URL*, Windows Authentication only in IIS, backed up WebAdaptor.config
- Initial configuration of Portal WA using external URL would only allow one WA to remain, configuration of one cleared out configuration of the other. This seems to be specific to Portal, as Server doesn't do this. But Portal must be unregistering a WA when you try to register a new one on the same URL.
- At the end, both Portal WAs remained configured in Portal, although I think the WebAdaptor.config on the internal box was cleared out and had to be manually overwritten from backed up file.
- Manually changed URL in both WebAdaptor.config files from <URL>https://portalfqdn.intranet.url.local:7443</URL> to <URL>https://maps.city.il.us</URL>. The external WA worked without doing this, but the internal one didn't, so I made the change in both. (Why did I have to do this? Did it have something to do with having the WebContextURL configured? Did it have something to do with internal networking configuration? I only had to do it for the internal WA even though both had the server name as the URL in WebAdaptor.config.)
Testing:
- All testing in incognito or after clearing cache
- WA changes tested after recycling App Pool
- Accessed https://maps.city.il.us/portal externally, clicked 'Sign In' link, directed to standard Portal sign-in page, indicating that DMZ WA is being used and no IWA was applied
- Accessed https://maps.city.il.us/portal while on VPN, clicked 'Sign In' link, prompted for IWA sign-in
- Published sample map service, granted public access, accessed externally without login

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

StefanUseldinger — Wed, 12 Jan 2022 07:05:06 GMT

I created a second machine and installed my Portal and Server Web Adaptors redundantly. The first machine uses IWA and the second uses anonymous authentication. Internal users are directed to the first server and external users are sent to the second server, but all of them use the same WebContextUrl as a point of entrance.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

ChrisCarter3 — Wed, 23 Feb 2022 19:07:14 GMT

I'm trying to do the same - have internal users go to one server and external to another.

Did you have to do any trickery to get the redundant Portal WA installed? I have tried several times, and the last one installed is what shows up in PortalAdmin. I have yet to get more than one Portal WA installed at the same time.

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

StefanUseldinger — Thu, 24 Feb 2022 07:02:24 GMT

As You can see above in my screenshot, I indeed managed to install both Portal WA on different machines pointing to the same Portal.

In my Enterprise 10.9.0 environment, the existing WA was not overwritten. This is, what happened to You?

Re: Both single sign-on and anonymous access to Portal for ArcGIS (10.4)

ChrisCarter3 — Wed, 04 May 2022 16:33:33 GMT

I did get mine working... I found the following order to work for me:

1. Install Portal

2. Install a web adaptor on the Portal server

3. Set the WebContextURL

4. Install the 2nd web adaptor (in my case this one is in the DMZ.

Question for those who are using both IWA and SAML on the same Portal - how do you handle the different usernames? In my setup, the username sent to Portal is different between IWA and SAML:

The first one came from IWA (username@domain) and the second from ADFS (email address). This creates a problem for managing users and content.