Connect to Portal with IWA

4495
14
Jump to solution
01-05-2017 04:11 PM
JoeHershman
MVP Regular Contributor

I am trying to connect to a Portal that uses IWA and get an error:

<class 'pywintypes.error'>

Failed Kerberos authentication

I have tried both the domain accounts and the initial administrator account setup with same issue.  Is it possible to login to a site with IWA?  If so what am I not doing correct

target = GIS("https://pmydoamin.com/portal", "user@domain", "pwd", verify_cert=False)

Thanks
Thanks,
-Joe
0 Kudos
1 Solution

Accepted Solutions
RohitSingh2
Esri Contributor

Hi Joe,

Can you try querying your user object after attempting to connect to your GIS:

target.properties.user.username

Does that report your username?

You're getting 'Failed Kerberos authentication' but NTLM authentication may be succeeding as you're not getting a 'Failed to authenticate using NTLM' error.

Thanks,

Rohit

View solution in original post

14 Replies
ChristianWells
Esri Regular Contributor

Have you tried created the GIS object without the username or password?

The doc here for IWA points to not using a username or password:

Working with different authentication schemes | ArcGIS for Developers 

It looks like there are some additional requirements for using IWA and the ArcGIS Python API:

"If your portal is configured to pick up your Windows credeintials using NTLM or Kerberos, you can omit passing in the username and password. The ArcGIS Python API is able to figure out when the GIS is using Windows authentication and picks the login credentials from the currently running process providing a seamless and secure login experience. Windows authentication only works on the Windows OS and requires pywin32 and kerberos-sspi python packages."

JoeHershman
MVP Regular Contributor

Christian,

Even in that situation I get the same error:

I have the two packages installed:

PS C:\Program Files\Anaconda3> pip install kerberos-sspi
Requirement already satisfied: kerberos-sspi in c:\program files\anaconda3\lib\site-packages
Requirement already satisfied: pywin32 in c:\program files\anaconda3\lib\site-packages (from kerberos-sspi)

Using 

from arcgis.gis import GIS
target = GIS("https://portaldev.domain.com/portal")

Gives:

The Security configuration is the IWA from help

{ "type": "WINDOWS", "properties": { "userPassword": "OZGpymvHxMecgY67515cng==", "caseSensitive": "false", "userEmailAttribute": "mail", "user": "ram\\portal", "userFullnameAttribute": "cn", "isPasswordEncrypted": "true" } }

Logging into the Portal works as expected.  We have the zone trusted at the domain level so nothing needs to be configured on individual machines and single sign on works without issue on the machine I have ArcGIS Python installed

Any other thoughts on what might be happening?

Thanks

-Joe

Thanks,
-Joe
0 Kudos
RohitSingh2
Esri Contributor

Hi Joe,

Can you try querying your user object after attempting to connect to your GIS:

target.properties.user.username

Does that report your username?

You're getting 'Failed Kerberos authentication' but NTLM authentication may be succeeding as you're not getting a 'Failed to authenticate using NTLM' error.

Thanks,

Rohit

JoeHershman
MVP Regular Contributor

Why yes that does work.  I never though to go any further after I received the error.

Thanks

-Joe

Thanks,
-Joe
0 Kudos
XiaoyiZhang1
New Contributor

Rohit,

Same here. run target.properties.user.username and it returns my username not the one I passed

0 Kudos
RohitSingh2
Esri Contributor

When using IWA, you should not pass in a username and password. Login credentials will be picked up from the running process.

0 Kudos
XiaoyiZhang1
New Contributor

Rohit,

Try without username/pwd and got same error.

<class 'pywintypes.error'> Failed Kerberos authentication

It did return correct username.

in[0]

=============================

import datetime
import arcgis
from arcgis.gis import GIS
from IPython.display import display

# create a Web GIS object
gis = GIS("https://maps.va.gov/portal", verify_cert=False)
gis.properties.user.username

Out[0]

================================

'ArcGIS@VHAMASTER'

0 Kudos
RohitSingh2
Esri Contributor

That's a warning message that you can ignore. It was able to log in using IWA using NTLM.

0 Kudos
JoeHershman
MVP Regular Contributor

Rohit... It would seem that this message is very confusing, and that perhaps in the next release of the API that if login succeeds no warning/error message should occur

Thanks,
-Joe
0 Kudos