Cannot log in to Collector on Android using Portal and IWA

5888
7
01-13-2016 08:03 PM
FrankPotempa
Occasional Contributor

When logging into our Portal for ArcGIS in Collector on Android we are constantly denied access. We can enter the Portal address in ColIector and be presented with the login screen however upon entering what would seem to be valid credentials and iterations of we get the following error in Collector; Could not sign in. Please check the url and credentials, and try again. I can see 401 errors caught in fiddler and IIS, Using the same account(s) on iOS is no issue. Have tried several iterations of user login (user@domain, user, user@FQDN). Some of the Android login discussion is here, Android ArcGIS Collector App Cannot Authenticate with Windows Active Directory , which is relevant to our previous configuration with ADFS. We have since moved to a configuration with federation and Windows AD user store and IWA in IIS as outlined here, Using Integrated Windows Authentication with your portal—Portal for ArcGIS (10.3 and 10.3.1) | ArcGI....

Interestingly I can login into portal website from Chrome browser on Android device(s).

Does anyone have this type of configuration and if so what is result. Does it work?

Collector for Android

ArcGIS Portal 10.3.1

Server 10.3.1

IIS7

Win 2008 R2

Answers and comments much appreciated.

Frank

0 Kudos
7 Replies
GISSupport3
Regular Contributor

Go to myportal/webadaptor/organization.html

Look at the username field.

The whole string needs to be used for Android ... not the case for iOS.

0 Kudos
FrankPotempa
Occasional Contributor

So the login would be as shown; user@domain? I have tried this iteration without success.

0 Kudos
GISSupport3
Regular Contributor

Yes ... it is also case sensitive.

0 Kudos
FrankPotempa
Occasional Contributor

This may be the correct syntax for some however we are still being denied access. I have a ticket opened up with my network team as well as ESRI.

According to ESRI on a ticket I have opened they can login with similar environment using domain\user. So we are seeing different variations.

However your stating that the login should match the login used in the web portal page from a browser.

I will post back my findings. 

FrankPotempa
Occasional Contributor

Finally getting back to summarize this issue as we just closed it last week. After exhaustive trouble shooting efforts on behalf of ESRI technical support and and my company's IT group we were unable to resolve the issue. 

ESRI technical support verified that the configuration is supported and ran several tests with a similar environment.They were very diligent in the effort.

Support and testing by my IT group did not find any deliberate blocking of the app or Android device. The same url calls and security chatter is evident from both iOS and Android so we were not able to find anything out of the ordinary. No firewall or AD issues stood out.

So to summarize;

-can reach Portal and login to Collector from internal wifi on Android

-login credentials work for user@domain

-can collect/ post data on online wifi but not able to download map for offline use. Some error when downloading AGOL basemaps,  probably related to our network issues. May work for custom basemap.

-"cannot" reach Portal from external wifi on Android, even though we are setup for external over https

-iOS products and Win10 work without issue

No culprit was ever identified other than it is probably our internal network somewhere!  So at this point we have decided not to pursue anymore investigation. From our side this just makes the Android option not a viable option, yet.

thankx

HillaryBjorstrom
Occasional Contributor

The issue with basemap is probably because of credentials. you will want to add a  basemap specifically for off-line use (you can search this on arcgis online) to your Basemaps Gallery Store AGOL Credential.

0 Kudos
BlytheSpendlove2
New Contributor III

Hi Frank, does your team use a VPN, such as Pulse Secure? My team has found that for mobile apps like Collector and Survey123, sometimes the users have to try to log in several times before they can successfully log in. I am troubleshooting that still but I think it has to do with vpn issues. For now, our work around is that when users get the 401 error, have them try to log in again, like 3 or 4 or five or so times, and eventually they can log in. 

0 Kudos