Community

Why is Portal not recognising my Active Directory group?

7013
14
03-14-2018 03:45 PM
JustinOdell
by
Occasional Contributor III
‎03-14-2018 03:45 PM

I am one of a few Administrators on a portal. The portal has been set up with Integrated Windows Authentication (IWA) so that Active Directory (AD) groups can be linked to Portal for ArcGIS.

One of my fellow administrators created a new group and associated it with Users from an Enterprise Group using AD. I am a member of this particular Enterprise Group in AD, however when I log into portal using my administrator privileges and click 'Groups', I am not recognised as a member of this group. We double checked AD and I am definitely a member of the associated group.

What might be causing this issue?

14 Replies
LakshmananVenkatesan
by
Occasional Contributor II
‎01-29-2019 01:43 PM

Hi 

I am facing same challenge in 10.6. Any resolution?. Though  "refreshUserMembershipDuringLoginEnabled": "true" ; still new user who automatically logged and part of the group unable to see the content. Any pointers?

Regards

LV

0 Kudos
JeffSmith
by Esri Contributor
Esri Contributor
‎01-29-2019 03:12 PM

Do the DEBUG logs indicate that the refresh is occurring?  The group membership refresh operation runs in the background when the user logs in.  If there are a lot of Portal groups linked to enterprise groups, this may take a while because it is iterating through each group to see if the user is a member of it.  During this time the user wouldn't be able to access the group because the membership isn't updated yet.  You should be able to observe in the DEBUG logs when refresh operation completes.

LakshmananVenkatesan
by
Occasional Contributor II
‎01-29-2019 06:05 PM

Thanks Smith for quick response. Yes, our portal groups are linked to enterprise groups but they are not many. Even if  background process takes some time, it should be within one hour (max limit) but in our cases it takes more than 24 hour to reflect. This what makes me surprise

0 Kudos
LakshmananVenkatesan
by
Occasional Contributor II
‎01-29-2019 06:40 PM

I just a did small test.  I purposefully removed an user (lets call TestUser ) and accessed portal again; which has created as TestUser (due to enable auto account creation is true) and count of users is increased by one.

When I try to access the web map (shared with public)  on a group which is mapped to enterprise group where TestUser is already an member throws error "Layer could not be loaded"

Developer tools log says 

  1. message: "You do not have permissions to access this resource or perform this operation."
  2. messageCode: "GWM_0003"

At first login of Testuser (User role is set to LEVEL 2 USER) - I see below logs on portal No refresh

r="" elapsed=""> Refresh user membership: No refresh. Interval time has not elapsed.</Msg>
<Msg time="2019-01-29T20:26:55,44" type="DEBUG" code="219999" source="Sharing" process="17856" thread="16" methodName="" machine="XXXXXX" user="" elapsed=""> Refresh user membership: No refresh. Interval time has not elapsed.</Msg>

This is totally inconsistent behaviour. 

0 Kudos
MatejNeveril1
by
New Contributor
‎03-08-2019 07:20 AM

Hi Lakshmanan Venkatesan,

any progress in your case? We faced very similar problem and we discovered that changing user role from user to publisher solved it.

Regards.

Matej

0 Kudos