Active Directory - Single Sign On Failure

08-22-2017 12:07 PM
New Contributor III


I am implementing a High Availability Portal and Server (ArcGIS Enterprise 10.5.1).  Portal has two machines and Server has two machines, each set of machines is behind a load balancer.

Load Balancer

Portal x2 + web adaptors

Load Balancer

ArcGIS Server x2 + web adaptors

If I set everything up using ArcGIS Portal authentication I can Federate and Host the Portals and Servers and everything works well.

When we configure web tier authentication and single-sign on (Active Directory) using Esri's provided instructions the system fails - specifically we get an unauthorized user error in the Federation window in Portal and when we try to access ArcGIS Server Manager we get an unauthorized user error message.  Note, we can still get access to ArcGIS Server Administrator page using the siteadmin user / password.

If anyone has any ideas, it would be greatly appreciated.


0 Kudos
4 Replies
Occasional Contributor III

Hi Kieren,

It sounds like you already covered all this stuff but from the documentation here's a couple things to check:

  • Are both the ArcGIS Server Site and Portal site configured to use HTTPS communication?
  • In the Portal Server's settings, is the Administration URL set as your Web Adaptor or load balancer URL?
  • Is the Web Adaptor configured to enable administrative access to the server?


New Contributor III

Thank you for the comments.  

1. Yes, both are configured to use HTTPS

2. In the portal server settings, it is set to the Load balancer URL

3. Web adaptor is configured to enable admin access to the server.

What is interesting in the High Availability deployment

Deployment scenarios for a highly available ArcGIS Enterprise—Portal for ArcGIS (10.5.x) | ArcGIS En... 

IWA or LDAP authentication with client access internal - we actually have Web Adaptors in front of the ArcGIS Server sites.

The portal web adapters are also on the same machine as the Portal's not separated in the manner described here.

Hypothetically, having the second set of web adapters is creating a user challenge scenario in front of the server site, but we have configured those for anonymous access.

We had confirmation from our local distributor that this would work, but it appears that it might not.

0 Kudos
Esri Notable Contributor

Did you set a privatePortalURL?  If so, what is it set to?  It should be a load balanced URL that bypasses the IWA challenge.

New Contributor III

Thank you Micah and Jonathan for the comments.  It turns out that we had misconfigured the second load balancer which balances to URL:7443

What was confusing was everything worked well until the federation / hosting step which didn't lead us to immediately check the balancer.  Once we corrected that configuration Single Sign On and Federation / Hosting was successful.

0 Kudos