Story Map Series cannot use an HTTP web page if IWA is used

3360
7
11-16-2015 10:03 AM
RobMiller
New Contributor II

I am working with a Portal vs. 10.3.1 that incorporates Integrated Windows Authentication and therefore only communicates through https.  When a web map is shared via a Story Map Series template, the option to use a web page in one of the tabs does not work unless it is secured with https.  I figure this is just a limitation at this point, but I thought I would ask to see if anybody knows of any work around to fix this mixed content issue.

0 Kudos
7 Replies
PaulDavidson1
Regular Contributor

Rob:

I was under the impression that you could set Portal to use mixed http/https and that would allow you to use mixed content but still have IWA certifying via https?

I don't know this for a fact but am curious about it.

0 Kudos
RobMiller
New Contributor II

Paul,

I believe that communicating through https only is a requirement for IWA, but I am not absolutely sure about that.  The documentation specifies to use this option, but I can't be sure that it is absolutely necessary.  I am also curious if anybody knows this for a fact. 

0 Kudos
PaulDavidson1
Regular Contributor

Hi Rob:

Yes, that was my understanding too from reading the documentation but it was recently recommended to me  to set our Portal into mixed mode so that we could share some older map services that are http only.  Other work has had precedence though so I can't offer any practical experience.  My recollection from the UC this past summer was that https or https/http mode was now considered best practice.  I think pure https is preferred but the reality is that many legacy organizations have older http servers still active.

Hopefully, Derek Law can weigh in on this.

It seems like a substantive issue.

0 Kudos
DerekLaw
Esri Community Moderator

Hi Rob and Paul,

Allow me to clarify some items mentioned in this thread:

- By default, Portal for ArcGIS is set to use HTTP/HTTPS communication - this means you can access and work with web services/content that are both HTTP and HTTPS;

- When you configure Portal for ArcGIS to use IWA authentication, then yes - it must be set to use HTTPS communication, this is a requirement and is documented in the help

Using Integrated Windows Authentication with your portal—Portal for ArcGIS (10.3 and 10.3.1) | ArcGI...

> I believe that communicating through https only is a requirement for IWA, but I am not absolutely sure about that.  The documentation specifies to use this option, but I can't be sure that it is absolutely necessary.

I can confirm this is necessary for Portal for ArcGIS to use IWA authentication, otherwise you may expose security holes in your Portal deployment.

Hope this helps,

PaulDavidson1
Regular Contributor

Thanks Derek.

I also just read that if we have an ArcGIS Server (AGS) setup to use IWA and we want to federate it, then we need to pull IWA off the AGS box and then federate it and let Portal do the authentication.

Setting up your portal and federated server to use Windows accounts—Portal for ArcGIS  (10.3 and 10....

Guess that means I jumped the gun in setting up the IWA AGS box.

I have one question left (for now):

Does this mean that with a Portal setup to use IWA, that any AGS box with map/feature services that you want to use & expose to/from Portal must be federated to Portal?

Which implies you can you more than one server federated to Portal.

FYI for others who might read this thread:  I have found that discussion about federation and single sign on (SSO) to sometimes get confusing.  They are not the same thing, similar but different. Cousins from another mother?

I have found the following helpful:

What is federation? And how is it different from SSO?

Hopefully this info applies to the Portal model.

0 Kudos
DerekLaw
Esri Community Moderator

Hi Paul,

> Does this mean that with a Portal setup to use IWA, that any AGS box with map/feature services that you want to use & expose to/from Portal must be federated to Portal?

You have 2 options:

1) I think in theory, you can register "unsecured" web services with your Portal, share them with 'everyone' - which means they can be accessed anonymously. In this case, the Server site does not need to be federated with Portal - only the web services are registered with Portal. I believe this is technically possible, but not sure how practical this deployment would be if you are using IWA authentication for Portal.

2) If you want to have your web services secured with IWA, then yes, the Server site must be federated with Portal.

> Which implies you can have more than one server federated to Portal.

Correct. A Portal can have multiple Server sites federated with it, but Portal can only have one hosting server.

Hope this helps,

PaulDavidson1
Regular Contributor

Thanks Derek

I'll be trying some wide open anon map services from our intranet unsecured servers.

I'm sure it's not BP, but it can help us keep moving forward.

I'll report my findings when available.

0 Kudos