Portal, editor tracking, web tier, single sign on + IIS question

623
3
04-02-2018 12:21 PM
AllenScully
Occasional Contributor III

We have an editing web app under construction that will allow Fire Dept. staff to quickly enter hydrant inspection results on a mobile device (VPN connection to our network since we're using Portal).

We have the actual feature service that will be edited published on a web-tier secured server and added to Portal as a feature layer ( I have found web tier is a better for editor tracking credentials to flow through - but if someone has tips on other options, I'm all ears).

The issue is that the web tier secured layer asks for credentials a second time (in addition to the users logging in to Portal which is expected and fine w/ users).  

I seem to recall one can change a setting in IIS that impacts this behavior - possibly disabling anonymous authentication?  

The net goal here is to have the web tier server read the Portal credentials the user signs in with to avoid 2 sign ins (both the Portal site and web tier server use AD).

I know for single sign-on we have modified settings in browsers on individual machines, but this would be prohibitive in this case

Thanks - 

Allen

0 Kudos
3 Replies
JonathanQuinn
Esri Notable Contributor

I assume that Portal and Server aren't federated? If so, then your users connect to the Portal via the application, they will automatically be authenticated to access any services, as Portal controls the user store for any services.

Since you're using separate authentication tiers, (Portal has one and Server as it's own), I think you'll have to do something within the Security settings of your browser, ex:

If the URLs for the Server and Portal are added to the sites in Local intranet zone, then you should be automatically authenticated. This is on a per-user basis so each staff member would need to make sure that the URLs is in the local intranet zone. This could possible be pushed out as a GPO update?

AllenScully
Occasional Contributor III

Thanks Jonathan - 

This particular server is not federated, but we actually do have a server federated with this Portal - which I did not use here because of the editor tracking + web tier issue (thinking web tier security works better w/ editor tracking).  In hindsight though, I would guess that if we publish this layer on the federated server it should behave as desired, correct?

0 Kudos
JonathanQuinn
Esri Notable Contributor

With respect to the editor tracking functionality and web tier authentication, I don't think it would matter where the service is published. It'd just be a smoother experience if it was published to a federated Server so you don't have multiple authentication tiers.