Configure Portal with Portal authentication and Active Directory

09-22-2015 09:49 AM
Occasional Contributor II

Hi, in the documentation for Portal it seems like you can configure Portal to use both Portal authentication and Active Directory authentication simultaneously. We also want to be able to allow anonymous users. When you click on the linked help sections it seems as though it's an either or situation.

Does anyone have experience with this type of configuration and can share some insight and info on how to set that up.


Tags (2)
0 Kudos
3 Replies
MVP Frequent Contributor

You CAN do this, albeit, not recommended: go through all the steps to Active Directory-enable your portal (there is extensive documentation on how to do this). EXCEPT: Do NOT enable the SAML connection to Active D federation. THEN: Create Portal, non-AD accounts using the command-line Portal Account Creation tool (which will create a local ptl admin account), then login as admin (u) and drop it down to user or publisher. This could be handy if you want to publish organization-wide items such as base maps, but don't have confidence that the AD user that has been tasked to do so will be around for long.

Again, not recommended, as this requires you to NOT disable the PSA in an AD environment.

I'd really think about getting your IT to create a generic AD account(s) for this purpose, you open up some security holes with the road you want to go down.

Esri Contributor

Hi Dave,

If you want to leverage Portal Authentication and Active Directory Users this would be possible. The biggest piece is where are the individuals authenticating.

To do this I would complete the following:

(1) Configure Portal for ArcGIS for AD Users.

(2) Configure Portal for ArcIGS for AD Groups. (OPTIONAL).

(3) Install and configure the ArcGIS Web Adaptor for Portal for ArcGIS.

(4) Ensure that the authentication for the Portal Web Adaptor is set to Anonymous Authentication.

This way when end users connect to the Portal for ArcGIS they will have to click the Sign-in. If the user has a built in account they'll simply need to provide their credentials. If the user has a domain account then they would need to enter their credentials. Typically domain credentials will be in the format of UPN or username@domain. Please note that the username and password are case sensitive.

I hope this information helps.

Occasional Contributor III

Hi Dave,

I just discovered another way to do this with all three methods - Single Sign-on, Portal based and Anonymous. It just takes two different Web Adaptors. See this discussion:

Portal Login Issues or Limitations?