Select to view content in your preferred language

Unable to access Portal with built-in admin account

6273
8
Jump to solution
11-27-2020 09:33 AM
Labels (1)
JonSwoveland
Frequent Contributor

Hey all, so I seem to have got myself into a wee bit of a pickle.   First off, this is not a case of forgetting the built-in admin username or password.  I'm (all too) familiar with the cmd line tool to reset that. 

I setup an instance of Portal 10.8.1 to test configuration of a SAML 2.0 Federation with OKTA. This all worked fine until I disabled the option for users to login using built-in Portal accounts.  The only administrative user is the built-in portal admin user, and there appears to be no way for me to log in with built-in users anymore. This means I have not way to re-enable built-in user logins via the Portal UI.

I'm so used to using IWA authentication through the web adapter, I figured I'd be able to login with the built-in account by access Portal directly via :7443 but of course that still redirects authentication to OKTA.  

I can login to the portaladmin directory using the built-in admin account, but cannot find any way to enable built-in user logins from there.   

Looking at the response from the <portal-url>/sharing/rest/portals/self endpoint, I see there is a property named "samlEnabled", with a value of true.  However, I have  scoured all the configuration files I can find, but am unable to find a setting to control this.

This is just a test setup, so in my case it's not a big deal to reinstall, but there really should be a way to fix this via configuration.  

If reinstall is the only answer, I will be submitting a suggestion to Esri that disabling built-in user logins is not allowed unless at least one administrative user from an alternate IdP exists, and IdP settings should be configurable via portaladmin.

Thanks all!

 

0 Kudos
2 Solutions

Accepted Solutions
by Anonymous User
Not applicable

I often use the ArcGIS API for Python for updating specific properties. Something like this should do the trick once you can programatically login.

 

from arcgis.gis import GIS
gis = GIS('home')

display(gis.properties.canSignInArcGIS)
display(dict(gis.properties))

# backup old properties
old_properties = dict(gis.properties)

 

This backups up the old_properties in case you need to restore them. The next part simply updates one of it's properties. It sounds like you have established what needs to be updated so you can define the property here (I'm guessing it's the canSignInArcGIS property):

 

# specify properties to be updated
update = {'canSignInArcGIS': True}
gis.update_properties(update)

 

You can then confirm that the update has gone through by running this:

 

# check to see update was successful
gis.properties.canSignInArcGIS

 

View solution in original post

Travis_Esri
Esri Contributor

Hello Jon,

 

Esri Support created the following technical article for for the workflow you are describing. If you do not have an administrator SAML account you can use to update the value in Portal home, changing the "Can SignIn Using ArcGIS" value to true via the self page will enable built-in logins again on the signin page.

 

Problem: Portal for ArcGIS sign in page allows only enterprise logins preventing administrators from... 

 

Please let me know if you have any further questions on this.

 

Thanks,

Travis

View solution in original post

8 Replies
by Anonymous User
Not applicable

I often use the ArcGIS API for Python for updating specific properties. Something like this should do the trick once you can programatically login.

 

from arcgis.gis import GIS
gis = GIS('home')

display(gis.properties.canSignInArcGIS)
display(dict(gis.properties))

# backup old properties
old_properties = dict(gis.properties)

 

This backups up the old_properties in case you need to restore them. The next part simply updates one of it's properties. It sounds like you have established what needs to be updated so you can define the property here (I'm guessing it's the canSignInArcGIS property):

 

# specify properties to be updated
update = {'canSignInArcGIS': True}
gis.update_properties(update)

 

You can then confirm that the update has gone through by running this:

 

# check to see update was successful
gis.properties.canSignInArcGIS

 

JonSwoveland
Frequent Contributor

Thanks! I'm going to give this a try.  

0 Kudos
JonSwoveland
Frequent Contributor

That worked!!! Thanks so much!  
As much as I like being able to fix things using code, it doesn't seem reasonable to have to resort to this for a critical administrative task.  Would the folks at Esri Support know about this approach?  

Anyhow, thanks for giving me a new tool for my toolbelt!

0 Kudos
Travis_Esri
Esri Contributor

Hello Jon,

 

Esri Support created the following technical article for for the workflow you are describing. If you do not have an administrator SAML account you can use to update the value in Portal home, changing the "Can SignIn Using ArcGIS" value to true via the self page will enable built-in logins again on the signin page.

 

Problem: Portal for ArcGIS sign in page allows only enterprise logins preventing administrators from... 

 

Please let me know if you have any further questions on this.

 

Thanks,

Travis

JonSwoveland
Frequent Contributor

Thanks Travis, I was so close to finding that prior to the ArcGIS API for Python approach.  

0 Kudos
NickHarvey
Frequent Contributor

@Anonymous User  - Thank you for posting this Michael - It got me out of this Catch 22 - I could not access the update url below with out signing in, but my SAML setup wasn't working either..  

https://<portal.domain.com>:7443/arcgis/sharing/rest/portals/self/update

 

0 Kudos
James_Whitacre_PGC
Occasional Contributor

For our ArcGIS Enterprise/Portal we have SAML SSO with MFA for and have canSignInArcGIS: false so it is an easier login experience for our users (they were always getting confused by the ArcGIS login). I typically turn this off via Organization > Settings > Security > Logins. But we knew that if our SSO service went down (which happens occasionally), we would need to still login via our built-in admin account, so I used similar code as above to change the setting in an ArcGIS Online Notebook (we don't have a Notebook server for our portal).

When I developed my Python code, I used the built-in admin account to login, and this worked beautifully at version 6.0 of the ArcGIS API for Python! At this version, built-in users were still able to login even if the setting was turned off.  But, I noticed that the version on my AGO Notebook (6.0) was not current, so I changed it to version 9.0 (and also tested it at 7.0), and it no longer allows built-in accounts to login at all if canSignInArcGIS: false.

Maybe this is better security practice, but now it appears that my backdoor admin option is no longer viable, which is disappointing. Anyone have information on this? Is there a way to bypass this option for our use case?

0 Kudos
ahargreaves_FW
Frequent Contributor

I'm stuck and unable to log into our portal using a built-in account. I followed the instructions in the article here to attempt to switch the 'Can SignIn Using ArcGIS' setting to try, but it already is. I'm stumped.

ahargreaves_FW_0-1632847084297.png

 

0 Kudos