Why is Portal not recognising my Active Directory group?

JustinOdell · ‎03-14-2018

I am one of a few Administrators on a portal. The portal has been set up with Integrated Windows Authentication (IWA) so that Active Directory (AD) groups can be linked to Portal for ArcGIS.

One of my fellow administrators created a new group and associated it with Users from an Enterprise Group using AD. I am a member of this particular Enterprise Group in AD, however when I log into portal using my administrator privileges and click 'Groups', I am not recognised as a member of this group. We double checked AD and I am definitely a member of the associated group.

What might be causing this issue?

GISSupport3 · ‎07-31-2018

Ok ... with the help of DEBUG logs, it's working as you expected, though not quite how I would like

The first login does work.

Then after deleting and re-adding the account the logs show:

Refresh user membership: No refresh. Interval time has not elapsed.

Can a users interval time please be reset to zero after each account creation has been detected?

As a workaround for now, we'll see how lowering membershipRefreshIntervalHours goes.

Thanks heaps

LakshmananVenkatesan · ‎01-29-2019

Hi

I am facing same challenge in 10.6. Any resolution?. Though "refreshUserMembershipDuringLoginEnabled": "true" ; still new user who automatically logged and part of the group unable to see the content. Any pointers?

Regards

LV

JeffSmith · ‎01-29-2019

Do the DEBUG logs indicate that the refresh is occurring? The group membership refresh operation runs in the background when the user logs in. If there are a lot of Portal groups linked to enterprise groups, this may take a while because it is iterating through each group to see if the user is a member of it. During this time the user wouldn't be able to access the group because the membership isn't updated yet. You should be able to observe in the DEBUG logs when refresh operation completes.

LakshmananVenkatesan · ‎01-29-2019

Thanks Smith for quick response. Yes, our portal groups are linked to enterprise groups but they are not many. Even if background process takes some time, it should be within one hour (max limit) but in our cases it takes more than 24 hour to reflect. This what makes me surprise

LakshmananVenkatesan · ‎01-29-2019

I just a did small test. I purposefully removed an user (lets call TestUser ) and accessed portal again; which has created as TestUser (due to enable auto account creation is true) and count of users is increased by one.

When I try to access the web map (shared with public) on a group which is mapped to enterprise group where TestUser is already an member throws error "Layer could not be loaded"

Developer tools log says

message: "You do not have permissions to access this resource or perform this operation."
messageCode: "GWM_0003"

At first login of Testuser (User role is set to LEVEL 2 USER) - I see below logs on portal No refresh

r="" elapsed=""> Refresh user membership: No refresh. Interval time has not elapsed.</Msg>
<Msg time="2019-01-29T20:26:55,44" type="DEBUG" code="219999" source="Sharing" process="17856" thread="16" methodName="" machine="XXXXXX" user="" elapsed=""> Refresh user membership: No refresh. Interval time has not elapsed.</Msg>

This is totally inconsistent behaviour.

MatejNeveril1 · ‎03-08-2019

Hi Lakshmanan Venkatesan,

any progress in your case? We faced very similar problem and we discovered that changing user role from user to publisher solved it.

Regards.

Matej