Internal web adaptor with Windows authentication and one without in DMZ pointing to one Portal ?

835
12
11-09-2021 12:27 PM
MarcBate
Occasional Contributor II

We are having problems getting two web adaptors working with our Enterprise Portal and want to confirm if what we want to do is even possible. One web adaptor inside the firewall is set to use Windows authentication and we have the portal identity store configured to automatically create accounts using your Windows login. It works. The problem is when we wanted to put another web adaptor in our DMZ to allow external users such as those using Field Maps. We are using the same URL for both of these web adaptors which resolves correctly depending if you are inside the firewall that has a different DNS server.

When accessing the DMZ web adaptor, there are 403 errors where dojo.js cannot GET other resource files and the web page is blank. When trying to open the resources that had the 403 error, they come up in the browser.

Any ideas on how to get this working or if this is even possible?

Tags (3)
0 Kudos
12 Replies
ABishop
Regular Contributor III

Hello Marc,

What version of Enterprise Portal?

Amanda Bishop, GISP
0 Kudos
MarcBate
Occasional Contributor II

10.9

0 Kudos
ABishop
Regular Contributor III

I found this information for installing multiple web adapters at 10.9 (IIS)

https://enterprise.arcgis.com/en/web-adaptor/latest/install/iis/install-multiple-arcgis-web-adaptors... 

Amanda Bishop, GISP
0 Kudos
MarcBate
Occasional Contributor II

Thanks. We saw that article, but still have the specific question if it is possible to have one web adaptor using Windows Authentication for the IIS website inside the firewall and portal configured to use Windows identity store, and the other in the DMZ using anonymous authentication in IIS.

0 Kudos
ABishop
Regular Contributor III

According to this thread from 2019, could possibly be the security configuration or the ports.  

https://community.esri.com/t5/arcgis-enterprise-questions/login-link-fails-when-accessed-from-web-ad... 

Amanda Bishop, GISP
0 Kudos
JonathanQuinn
Esri Notable Contributor

So when the request is set to the home application, for example, and the home application is making requests to dojo.js and other pages, the response is a 403. But if you take that same request on the same browser, (new tab, for example), the request returns a 200?

0 Kudos
MarcBate
Occasional Contributor II

That's correct.

0 Kudos
JonathanQuinn
Esri Notable Contributor

Have you inspected the traffic for differences in headers or other information to see if the presence of a header, or value set for one, is causing the 403?

0 Kudos
MarcBate
Occasional Contributor II

We were able to sign in through the DMZ firewall with Field Maps.

However, we still get 403 errors when accessing the enterprise site through the DMZ in a browser. I tried going to /arcgis/home/webmap/viewer.html and it loads, but several css and js files it uses are throwing 403 errors and the browser is empty. I feel we have to be close to getting this working

0 Kudos