Portal - Windows Authentication on Server 2012 not Working

JoeHershman · ‎05-27-2016

I have setup Portal using AD and Windows Authentication. Everything is installed on a Server 2012 R2 machine.

The problem is, I cannot get the login to work from a Windows 2012 machine. For some reason it does not seem to pass the credentials correctly. It will just keep challenging me with a login form, over and over

Everything works just fine when connecting from a Windows 2008 machine. This is happening with multiple sites and from every Windows 2012 R2 Server. I cannot find anything that describes a setting that needs to be changed on 2012 that does not need to be changed on 2008.

Any thoughts? Basically cannot setup to use single sign on, unless I only connect from 2008 machines

Thanks

-Joe

Thanks,
-Joe

JoeHershman · ‎09-01-2016

Well after much trail and tribulation the issue ended up being with how the DNS was configured. We have a Forward Lookup Zone so we can map our 'public' Urls internally within our domain. This allows us to use a wildcard certificate from a public CA internal to our domain even if not exposing the site outside.

Normally, I have just configured a Host entry to point right to the IP Address. For some reason (and I have no idea why) when I changed this to a CNAME entry pointing to the internal domain machine name it resolved the issue. I don't know enough about DNS to be able to say why this change resolved the issue, nor why it only occurred on Server 2012 and not 2008. But that was the solution

Thanks,
-Joe

View solution in original post

PaulDavidson1 · ‎05-27-2016

Hey Joe:

I'd look at the browsers being used on the two different OS boxes?

I assume both have IE? Tried Chrome or?

Compare the IE settings?

Don't use compatability mode in IE. Apparently that makes IE want to behave like ver 7 and Portal only supports IE 9 and up.

You're logging into Portal from Win Servers rather than from desktop OS like Win7/8/10 , right?

I know I had to spend some frustrating time tweaking the various IE settings on our WinSrvr 2012 R2 server that is hosting Portal/AGS/DS when logging in directly from that server using IE.

IE on WSrvr2012 is setup differently than a desktop version, more control over security, etc...

Unfortunately, I was in the try all sorts of things mode and didn't keep very good notes on what I did.

If you search here for issues related to browsers and/or url doubling etc... you should find some threads that might have useful info.

For example: Portal 10.4 Request.Path error on IIS

There are some other threads about AD/IWA also that might have useful info?

Unfortunately, it seems that info on the inner workings of Portal (config files, etc...) can be hard to come by.

I suspect this is on purpose to keep us from royally screwing things up. Portal is tricky enough when just working through all the provided interfaces. I can only imagine the support headaches if (when) folks start digging deep and modifying things.

Maybe also check your portaladmin and ArcGIS/admin web sites and look through your settings?

FWIW: We do have our Win2012 servers letting us log into Portal 10.4

The Test server is tied to IWA and we can get in that way. However, we don't have ADFS (yet) running so that might be a difference in our's & your's setups.

good luck

JoeHershman · ‎09-01-2016

Paul,

I have no idea what the deal is, but I have never gotten single sign on to work on a Server 2012R2 machine. In either IE or Chrome it will challenge me and even if I enter my domain credentials it does not seem to pass them through because it won't log me on. We have a hosted environment which only has Server OSs so I have only been able to try on Server 2008 which works fine. From my local Windows 10 machine (when connected to our hosted VPN) it will challenge me and if I enter my domain credentials it passes them through and I log on. This is to be expected because on my local machine I am not logged into the hosted domain. I cannot see anything different in setting on the 2008 machine and the 2012 machine. I am going absolutely insane over this. Basically, I need to turn off Windows Authentication in order for users to log onto the Portal (which they have to do manually).

-Joe

Thanks,
-Joe

JonathanQuinn · ‎09-01-2016

What provider is listed first, NTLM or Negotiate? I believe there should be fallback to the other if the first one listed doesn't work, but I've seen that it doesn't happen and IWA fails. You can try to switch them and see what happens, (right click on Windows Authentication and go to Providers).

JoeHershman · ‎09-01-2016

Thanks for the help, see below I finally got it working. No idea why what I did solved the problem, just that it did. Thanks again.

-joe

Thanks,
-Joe

JonathanQuinn · ‎09-01-2016

Eep, that's a bit beyond me too, I normally just fumble around, but glad it's working!

JoeHershman · ‎09-01-2016

So I think what seems to be the issue is that internally to our domain we use a Forward Lookup Zone to map Urls to our public domain. This way we use public certificates internally. So even though I am inside the firewall the Url is still https://xxx.ramtech-gis.com/portal, as opposed to https://xxxx.internal.domain/portal. For some reason this seems to be breaking something, but only on Server 2012. I just set things up on a client that uses a domain CA so they don't have this additional lookup zone and everything works. I cannot guarantee that is truly the issue, but it is the only thing I am seeing different in these configurations. Why 2008 would be OK but not 2012 I have no clue

Thanks,
-Joe

JoeHershman · ‎09-01-2016

Well after much trail and tribulation the issue ended up being with how the DNS was configured. We have a Forward Lookup Zone so we can map our 'public' Urls internally within our domain. This allows us to use a wildcard certificate from a public CA internal to our domain even if not exposing the site outside.

Normally, I have just configured a Host entry to point right to the IP Address. For some reason (and I have no idea why) when I changed this to a CNAME entry pointing to the internal domain machine name it resolved the issue. I don't know enough about DNS to be able to say why this change resolved the issue, nor why it only occurred on Server 2012 and not 2008. But that was the solution

Thanks,
-Joe

PaulDavidson1 · ‎09-01-2016

Joe:

I came across this recently:

http://support.esri.com/technical-article/000012357

Don't know if this would help but it at least sounds like it has some things in common with what you're doing. Maybe there's a nugget in there that will help your understanding?