Portal Login Issues or Limitations?

8719
18
05-11-2016 04:26 AM
AdamRepsher
Regular Contributor

Hello All,

I am trying to set up Portal to accept both Active Directory and Portal Authentication users.  The problem occurs when I try to log in as a Portal user.  I can't do it.  I am logged into my machine through Active Directory, but when I browse to the portal homepage, I have no option to log out.  I can't get an interface to log in.

I am afraid that there will be an OR in this statement:

You either set up an Active Directory, automatic login environment, OR, an Active Directory/Portal Authenticated set up where you must manually sign in every time with your credentials.

Am I correct, or is there a special way to set up a way to log in with a Portal Authenticated User while set up for AD auto-login?

Thank you,

--Adam

0 Kudos
18 Replies
JacobBoyle
Occasional Contributor III

I think to get the duel login option, you have to use ADFS/SAML, Otherwise it just passes the creds from IWA.

RandallWilliams
Esri Regular Contributor

@Jacob Boyle above is correct. When you use IWA the assumption is that you're going to want Single Sign-On. SAML is the way to go in this case.

0 Kudos
AdamRepsher
Regular Contributor

Update:

I talked to Matt at Esri Support.  He explained that I could set up another Web Adaptor specifically for Anonymous and Portal based users - call that "/open".  That adaptor would just have anonymous access enabled.  The adaptor for Single Sign-On is set up for Windows Authentication only - call that "/portal"

Give the anonymous and portal based users the https://company.com/open link.

Give the Single Sign-On users the https://company.com/portal link.

Thank you all!

--Adam

PaulDavidson1
Regular Contributor

Hey Adam:

I'm a bit confused by this.  It's my understanding that you can only install & setup one Web Adapter (WA) per Portal instance.

Plus the WA for AGServer, which can have multiple WAs (one for normal usage and one for admin for instance.)

So while AGS can have multiple WAs, I though Portal could only have the one.

Have you been able to install a second one for Anon access?

0 Kudos
JacobBoyle
Occasional Contributor III

I agree with Paul.

AGS can also only have multiple WA's if you do not federate.  Unless something has changed, portal cannot be configured with Multiple WA's.

Derek Law, your thoughts?

0 Kudos
DerekLaw
Esri Community Moderator

Hi Jacob,

Apologies for the late reply, I had to check into this item with some folks on the Portal Dev team.

Portal for ArcGIS is only designed to work with one Web Adaptor as an entry point. In some cases, such as deploying Portal high availability, you could use multiple Web Adaptors - but you would need to have a 3rd party load balancer in front of this deployment. FYI, help topic: Configuring a highly available portal—Portal for ArcGIS (10.4.1) | ArcGIS for Server

@Adam: I know you've said that you got your deployment working properly, but I am not certain that is the case. I suggest you please check and verify that everything is working correctly, as I am told this is not a supported deployment.

Regarding your reference to the 'Web Adaptor" help topic (where you note the 's') - we've found some inconsistencies and are working to correct its content to make it more clear and concise.

Hope this helps,

RandallWilliams
Esri Regular Contributor

Yup. The process of registering a Web Adaptor with a Portal will fail if another web adaptor has been previously registered. The registration screen will throw an error indicating the issue. The Server Web Adaptor must set at anonymous if federating through that web adaptor.

AdamRepsher
Regular Contributor

Everyone contributing to this thread:

This has nothing to do with the AGS Web Adaptor and Federation.  That WA is already set up and working with anonymous login specifically for AGS.

This is for users accessing Portal.

Configure multiple ArcGIS Web Adaptors -- (notice the "s" at the end of the word "Adaptor")

After seeing that link, I just needed a little help provided by Esri Support.

I now have two web adaptors for incoming Portal users.  One for Single Sign-On and the other for Portal Based accounts/anonymous users.  It works - really, it does.

PaulDavidson1
Regular Contributor

Very interesting...  and useful

Thanks Adam

Looking at that link, this must be new in 10.4 because the "other versions" link at 10.3 is greyed out.