Select to view content in your preferred language

Portal items shared to all shows login screen for AD accounts

778
4
02-08-2023 11:03 AM
Labels (1)
ElizabethDonahue
Regular Contributor

Randomly, Enterprise Portal items 'shared to all' shows login screen for AD accounts. Using Version 10.7. 

  1. how do I fix this
  2. how can I see if this is happening without having to ask unnamed users to check all the time?

 

Thanks so much!

 

Beth Donahue

Chicago Transit Authority

 

0 Kudos
4 Replies
Scott_Tansley
MVP Regular Contributor

Are you using Intergrated Windows Authentication (old skool AD) or are you using SAML2 (modern AD)?

Also, are all the services, the web map and the application all shared with 'everyone'.  I've seen people use multiple web services in a web map, leave one of them secured and then see this behaviour.  All 'items' have to have the same level of sharing.

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
ElizabethDonahue
Regular Contributor
Scott, thanks for your assistance.

1. CTA uses the agency's active directory using Integrated Windows Authentication (IWA). I have been sharing items to everyone in Enterprise Portal with no issues until January of this year.


1. We also occasionally cannot Add members based on existing enterprise users.

[cid:image001.jpg@01D93C7A.3EA026A0]
No names will appear here:
[cid:image002.jpg@01D93C7A.3EA026A0]


1. I would like to be able to tell if non-named users are seeing the login screen for 'shared with everyone' items without having to bug my co-workers.
2. I think may have become an issue when we were authorizing our licenses for the new year.

Any insight you can provide with be marvelous!

Beth Donahue

0 Kudos
Scott_Tansley
MVP Regular Contributor

So if you’re using IWA (shivers) then all users need to go through the web server and web adaptor.  The web server (before you get to Esri) will ask you to confirm you’re logged in to the AD.  If you’re on the network or have VPN then you have a token and you just go in. 

If you’re environment is exposed to the internet, and you access it from a non work device or you’re not on the VPN then it will ask you to login.

Under IWA the concept of everyone just means you’re not consuming a license, you have to exist in the AD to be able to use anything.  So you can’t easily share to the public or stakeholders.  (Hence ^shivers).  IWA makes the environment inflexible in my opinion.  😞

the only way to tell if non names users would be having those blocks would be the IIS logs.  You may get a username if IIS was configured correctly.   

typically changes like you’ve said relate to windows or Esri patches being applied or possibly a licensing change.  

Scott Tansley
https://www.linkedin.com/in/scotttansley/
0 Kudos
ElizabethDonahue
Regular Contributor

Scott, I appreciate your comments. Anonymous users are now seeing items shared with all (enterprise portal is behind firewall so 'all' means everyone with AD account). Unfortunately, now when I open Portal or Portal admin I am prompted for a login (which of course I do not have). In addition, randomly my colleagues I cannot open ArcGIS Pro licensed through Portal (unknown error, check LM is working). I have tested on VPN, RDP, Wireless at work and Docking station at work.

I am working with DBA and other IT and we suspect my credential authentication is not being passed on to GIS web server.

 

I have a ticket open with ESRI and here are results that allowed anon access and initial admin but then portal admin asked for login

  • We checked the behavior
  • Checked the security settings for Portal, allowing anonymous access option is checked
  • Navigated to the security configuration from the portal admin interface and tested the identity store it was successful
  • Navigated to the web adaptors' machine
  • In the IIS, the anonymous authentication was enabled on the default website but not on the portal web adaptor (portal) and the server web adaptor (hosting)
  • The Windows authentication was disabled on the default website and the server's web adaptor
  • Enabled anonymous authentication on the portal and server web adaptors
  • Enabled Windows authentication on the default website and the server's web adaptor
  • We were able to access items anonymously afterward

Are we missing something? Everything was fine until about January of this year (I also transitioned from staff to consultant but with same email login).

Thanks for any thoughts you have😃

Beth Donahue

 

0 Kudos