Portal Login Issues or Limitations?

10043
18
05-11-2016 04:26 AM
AdamRepsher
Occasional Contributor III

Hello All,

I am trying to set up Portal to accept both Active Directory and Portal Authentication users.  The problem occurs when I try to log in as a Portal user.  I can't do it.  I am logged into my machine through Active Directory, but when I browse to the portal homepage, I have no option to log out.  I can't get an interface to log in.

I am afraid that there will be an OR in this statement:

You either set up an Active Directory, automatic login environment, OR, an Active Directory/Portal Authenticated set up where you must manually sign in every time with your credentials.

Am I correct, or is there a special way to set up a way to log in with a Portal Authenticated User while set up for AD auto-login?

Thank you,

--Adam

0 Kudos
18 Replies
RandallWilliams
Esri Regular Contributor

Whelp, color me schooled!

AdamRepsher
Occasional Contributor III

No - really...  I just got lucky in that this is the first version that I have used when implementing Portal.  This setup has given me the biggest schooling in my AGS career!  I still don't completely grasp the relationships to each server in my setup with the Domain Certificate configured with the WA server, but with a friendly URL....

Also - Randall - You may want to look over the docs on federation with AGS again too - since this is more toward the point that I think you were trying to get across.  I have a setup that is "like" the setup documented in the Spatiotemporal Big Data Store Tutorial​.  It has two AGS installs - one for WebGIS and the other for RealTime GeoEvent Extension use.  Both of mine are federated with Portal - but only one is set as the "Hosting Server" (WebGIS).

0 Kudos
JacobBoyle
Occasional Contributor III

All I know is that I've learned way more about SSL and security than I ever thought I would as a geographer.

JacobBoyle
Occasional Contributor III

That's a really great option going forward, I can see all kinds on scenarios where you'd want to have a secure  external WA using IWA and an internal one for viewing only.

Kudos to Esri for allowing this model.

PaulDavidson1
Occasional Contributor III

Absolutely, +1

0 Kudos
DanMallett
Esri Contributor

Adam, I want to believe that you have 2 web adaptors working (one anonymous and one with IWA) but I can't see how this is possible.  When I go to install the 2nd one I get:

Multiple web adaptors

So I could setup a reverse proxy and then add another web adaptor but the reverse proxy is going to load balance between the 2 web adaptors (for high availability purpose).  Unless you can add multiple WebContextURLs (e.g. /open and /iwa) I don't know how you accomplished this.

Any chance you could provide some more details?

0 Kudos
AdamRepsher
Occasional Contributor III

Dan,

Actually, I cannot.  Since this thread was active, I am sad to say that many of the features have failed and are not currently working.  There were a few bugs found in the software, but honestly, I am convinced now that the way we set this up is the main reason for the failure.  I will be talking to esri very soon about implementing 10.5 along with anonymous access to publicly available content.

There are instructions on adding multiple Web Adaptors via multiple Web URLs.  The two that I have working right now are /arcgis and /realtime, like in the link I mentioned above:  https://community.esri.com/external-link.jspa?url=http%3A%2F%2Fwww.arcgis.com%2Fhome%2Fitem.html%3Fi... .

JonathanQuinn
Esri Notable Contributor

Multiple web adaptors for Portal will only work if you have something in front of the web adaptors load balancing traffic to them.

Ex.

It's only designed to allow for redundancy at the web tier level, not to have two entry points into the portal.  If multiple entry points were possible, the problem is that when an item is created, the URL for the item is built using the URL (https://myportal.domain.com/secure/...) and will not update depending on if you access the portal through a different URL, (https://myportal.domain.com/open/...).  If you only have people that can sign into the portal creating content, (they will likely use the "secure" entry point), then those items will only reference the "secure" URL, and nobody with access to the "open" URL can reach the items, as they'd require authentication or require access to some internal web adaptor or reverse proxy.  The only way to achieve anonymous and single sign on experiences is, as mentioned, using SAML

AdamRepsher
Occasional Contributor III

Just for clarification, I am not using multiple web adaptors for one portal installation, I am using one WA for Portal, one WA for AGS/GeoEvent and one WA for the non-GeoEvent AGS (federated with portal).

Granted, my whole installation is going to change soon.  Sorry for the mess that this thread may have started.