11.5 Authentication Issues: IWA alongside Anonymous Access

valenj88

In 11.3, we had IWA set up alongside Anonymous access and it worked seamlessly. If a user has an account in portal, it would log the user in using IWA. If a user did not, it would still allow anonymous access if in-network to view maps and apps.

Since upgrading to 11.5, IWA does not happen automatically and to perform any administrative tasks or access the portal, users now need to login manually with their domain credentials.

Any reason why this might be suddenly happening? No settings were changed on our end. In IIS, both anonymous authentication and windows authentication are enabled, and this was not previously an issue. It is my understanding that if you only have Windows authentication enabled, users all need named accounts in portal, which we're trying to avoid by just using anonymous access for simple map/app viewers.

JakeSkinner

Hi @valenj88,

IIS processes authentication methods in a specific order. When both Anonymous and Windows authentication are enabled at the same level, IIS will first attempt to use Anonymous Authentication.

If this was working before, I can only think of some custom solution was in place. As a workaround, you can Enable Automatic Account Creation. Then, configure New Member Defaults to Viewer for both User/Role Type. You should have an indefinite number of viewer accounts for Enterprise. When a user accesses an application URL that is shared with Everyone, and they do not have an account, portal will create a Viewer account for that user.

View solution in original post

JakeSkinner

Hi @valenj88,

IIS processes authentication methods in a specific order. When both Anonymous and Windows authentication are enabled at the same level, IIS will first attempt to use Anonymous Authentication.

If this was working before, I can only think of some custom solution was in place. As a workaround, you can Enable Automatic Account Creation. Then, configure New Member Defaults to Viewer for both User/Role Type. You should have an indefinite number of viewer accounts for Enterprise. When a user accesses an application URL that is shared with Everyone, and they do not have an account, portal will create a Viewer account for that user.

valenj88

Hi Jake,

Yah whether it was accidental or custom, it seems like things were working in a specified order and the upgrade to 11.5 killed that functionality. We did end up switching over to automatic account creation and turning off anonymous access, which results in basically the same functionality with slightly different implications (needing to monitor/manage portal accounts every so often), but we already head a script in place for this. Thanks for taking the time to respond.