Community
Select to view content in your preferred language

Connect to Portal with IWA

5428
14
Jump to solution
01-05-2017 04:11 PM
JoeHershman
by MVP Regular Contributor
MVP Regular Contributor
‎01-05-2017 04:11 PM

I am trying to connect to a Portal that uses IWA and get an error:

<class 'pywintypes.error'>

Failed Kerberos authentication

I have tried both the domain accounts and the initial administrator account setup with same issue.  Is it possible to login to a site with IWA?  If so what am I not doing correct

target = GIS("https://pmydoamin.com/portal", "user@domain", "pwd", verify_cert=False)

Thanks
Thanks,
-Joe
0 Kudos
1 Solution

Accepted Solutions
RohitSingh2
by Esri Contributor
Esri Contributor
‎01-06-2017 11:19 AM

Hi Joe,

Can you try querying your user object after attempting to connect to your GIS:

target.properties.user.username

Does that report your username?

You're getting 'Failed Kerberos authentication' but NTLM authentication may be succeeding as you're not getting a 'Failed to authenticate using NTLM' error.

Thanks,

Rohit

View solution in original post

14 Replies
ChristianWells
by Esri Regular Contributor
Esri Regular Contributor
‎01-05-2017 07:57 PM

Have you tried created the GIS object without the username or password?

The doc here for IWA points to not using a username or password:

Working with different authentication schemes | ArcGIS for Developers 

It looks like there are some additional requirements for using IWA and the ArcGIS Python API:

"If your portal is configured to pick up your Windows credeintials using NTLM or Kerberos, you can omit passing in the username and password. The ArcGIS Python API is able to figure out when the GIS is using Windows authentication and picks the login credentials from the currently running process providing a seamless and secure login experience. Windows authentication only works on the Windows OS and requires pywin32 and kerberos-sspi python packages."

JoeHershman
by MVP Regular Contributor
MVP Regular Contributor
‎01-06-2017 08:13 AM

Christian,

Even in that situation I get the same error:

I have the two packages installed:

PS C:\Program Files\Anaconda3> pip install kerberos-sspi
Requirement already satisfied: kerberos-sspi in c:\program files\anaconda3\lib\site-packages
Requirement already satisfied: pywin32 in c:\program files\anaconda3\lib\site-packages (from kerberos-sspi)

Using 

from arcgis.gis import GIS
target = GIS("https://portaldev.domain.com/portal")

Gives:

The Security configuration is the IWA from help

{ "type": "WINDOWS", "properties": { "userPassword": "OZGpymvHxMecgY67515cng==", "caseSensitive": "false", "userEmailAttribute": "mail", "user": "ram\\portal", "userFullnameAttribute": "cn", "isPasswordEncrypted": "true" } }

Logging into the Portal works as expected.  We have the zone trusted at the domain level so nothing needs to be configured on individual machines and single sign on works without issue on the machine I have ArcGIS Python installed

Any other thoughts on what might be happening?

Thanks

-Joe

Thanks,
-Joe
0 Kudos
RohitSingh2
by Esri Contributor
Esri Contributor
‎01-06-2017 11:19 AM

Hi Joe,

Can you try querying your user object after attempting to connect to your GIS:

target.properties.user.username

Does that report your username?

You're getting 'Failed Kerberos authentication' but NTLM authentication may be succeeding as you're not getting a 'Failed to authenticate using NTLM' error.

Thanks,

Rohit

JoeHershman
by MVP Regular Contributor
MVP Regular Contributor
‎01-06-2017 11:24 AM

Why yes that does work.  I never though to go any further after I received the error.

Thanks

-Joe

Thanks,
-Joe
0 Kudos
XiaoyiZhang1
by
Emerging Contributor
‎01-06-2017 12:15 PM

Rohit,

Same here. run target.properties.user.username and it returns my username not the one I passed

0 Kudos
RohitSingh2
by Esri Contributor
Esri Contributor
‎01-09-2017 04:54 AM

When using IWA, you should not pass in a username and password. Login credentials will be picked up from the running process.

0 Kudos
XiaoyiZhang1
by
Emerging Contributor
‎01-09-2017 06:13 AM

Rohit,

Try without username/pwd and got same error.

<class 'pywintypes.error'> Failed Kerberos authentication

It did return correct username.

in[0]

=============================

import datetime
import arcgis
from arcgis.gis import GIS
from IPython.display import display

# create a Web GIS object
gis = GIS("https://maps.va.gov/portal", verify_cert=False)
gis.properties.user.username

Out[0]

================================

'ArcGIS@VHAMASTER'

0 Kudos
RohitSingh2
by Esri Contributor
Esri Contributor
‎01-09-2017 06:27 AM

That's a warning message that you can ignore. It was able to log in using IWA using NTLM.

0 Kudos
JoeHershman
by MVP Regular Contributor
MVP Regular Contributor
‎01-09-2017 09:49 AM

Rohit... It would seem that this message is very confusing, and that perhaps in the next release of the API that if login succeeds no warning/error message should occur

Thanks,
-Joe
0 Kudos