Configure web-tier authentication in IIS for a highly available portal

2397
9
07-07-2020 02:53 AM
MichailMarinakis1
Occasional Contributor II

Hi all, 

We are configuring a highly available portal with Integrated Windows Account (IWA) for version 10.7.1. In the chapter 'Configure web-tier authentication in IIS', there is a link for a technical article. This article describes some complex configuration steps in IIS "If planning to use an ArcGIS Web Adaptor (IIS) for Integrated Windows Authentication with a highly-available portal" which is our case. At the bottom of the technical article, it is mentioned that these instructions are for software 10.3 and 10.3.1. 

In our test environment, everything works fine without applying this step.

The question is: should we apply these complex steps from the technical article for the portal with version 10.7.1? If not, then it might be less confusing if this link is not any more in the documentation 

Thanks!

0 Kudos
9 Replies
JonathanQuinn
Esri Notable Contributor

Those instructions are for any version of Portal, and will be the instructions on any future versions as well. We'll update that doc.

MichailMarinakis1
Occasional Contributor II

Hi Jonathan, 

thank you for your prompt and clear response! I am now wondering why it works properly in our test environment without any intervention. I will discuss further with a network administrator. 

Just out of curiosity, what is the direct impact if we don't apply these steps? Users cannot connect? Accessibility to layers is not applied? Is there any specific behavior that we will notice? 

Thanks again!

0 Kudos
JonathanQuinn
Esri Notable Contributor

Hm, perhaps it depends on the browser settings. The changes you make in IIS are necessary for a kerberos ticket generated by one web server is trusted by the other web server. For example, when a request from a user reaches web adaptor 1 on web server 1 and gets authenticated, the next request which can reach web adaptor 2 on web server 2. If the changes aren't made, I believe that the request will need to be re-authenticated. If your browser settings are configured to automatically authenticate each request based on the users log on settings, then maybe they don't see an impact.

MichailMarinakis1
Occasional Contributor II

It seems like that we have, by default, the option "Automatic login only in Intranet zone". I will confirm that with a network administrator.

Since the portal site will not be accessible outside of the organization, and all the clients will be in the intranet zone, do you think i still need to perform the steps described in the technical article above? 

0 Kudos
JonathanQuinn
Esri Notable Contributor

Yes, you'll still need to perform the steps described in the article. How the browser handles IWA is separate from how the web servers will trust (or not trust) the tickets that are generated. I found a blog that describes this a bit:

On Load Balancers and Kerberos 

Bit of a different context, but the same principle applies.

by Anonymous User
Not applicable

Regarding that technical article, there's a couple points in it that I've personally seen making system administrators uncomfortable and hesitant to follow through on the instructions. 

Firstly, the article specifies "The domain account name must match the host name of the NLB". While the SPN certainly needs to include hostname and FQDN of the NLB as is documented, I've been told it shouldn't matter what the domain account is called so long as it is consistent throughout. Is there any requirements specific to ArcGIS that dictate this naming convention? If so, it may instill confidence if the article expanded upon this point. 

The second issue I've seen raised, is that the -A syntax used in the setspn command has been long since deprecated, with Microsoft recommending everyone use -S. As far as I understand, the only reason anyone would have to use -A is if they were on Windows 2003 - for which extended support expired five years ago. Is there any reason to continue using -A syntax, or is it more the case that the article was written with compatibility in mind back when Windows 2003 was a supported operating environment? 

JonathanQuinn
Esri Notable Contributor

That article has been around for some time, so it's very likely that information has changed since it was first written. I believe it was written in collaboration with Microsoft, but not entirely sure. We can review it and update where necessary. Thanks for the feedback.

PeterPang
New Contributor

Same here having questions regarding the technical article.

I am also curious whether the "The domain account name must match the host name of the NLB.". Further elaboration would be much helpful if this is the case.

Also, I am confused about setspn to the "HTTPS" service class since "The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class.(from microsoft: How to use SPNs when you configure Web applications that are hosted on Internet Information Services)

MarGIS
by
New Contributor III

@JonathanQuinn  I have configured the steps in the article above and still encounter a prompt window when I access HA portal with two web adaptor. I am confused about the first step in the article that state you should run the following command

setspn -A HTTP/NLBhostname.domain.com newaccount
setspn -A HTTP/NLBhostname newaccount
setspn -A HTTPS/NLBhostname.domain.com newaccount
setspn -A HTTPS/NLBhostname newaccount

In my case I have two webadaptors for example

web01.domain

web02.domain

Should the syntax be 

SetSPN –a HTTPS/web01.domain domain\newaccount
SetSPN –a HTTPS/web01 domain\newaccount

OR

SetSPN –a HTTPS/loadbalancer.domain domain\newaccount

as I found in other resources that SPN should be created using the name of the machine that run the web application which in our case is the machine that run the Web Adaptor

https://petri.com/how-to-use-setspn-to-set-active-directory-service-principal-names-2/

Your help is highly appreciated.

Thanks

 

 

 

0 Kudos