Portal for ArcGIS: Tie into AD without HTTPS?

PF1 · ‎08-12-2013

Has anyone installed the Portal for ArcGIS solution and successfully tie it into Windows AD without requiring HTTPS?

Based on the ESRI Documentation... The portal can be configured to use Integrated Windows Authentication (IWA) but that will require HTTPS (SSL) to be enabled on the Web-Adaptor/IIS server.

We have many ArcGIS Server deployments which most are running just HTTP over port 80. If we enable this it appears that all services that run over HTTP port 80 will be inaccessible to the Portal for ArcGIS solution. Our security requirements on user accounts are quite extensive (12 chars, mixed case, special chars, numeric, expire 60 days, etc, etc, etc) so the BUILT-IN User store is not an adequate solution.

Based on the ESRI Documentation... The portal can also be configured using LDAP. My question (s):

Has Anyone tried to tie into an existing AD implementation using LDAP and Portal for ArcGIS without HTTPS being required?

If so - What network traffic is being passed back and forth? I would assume some sort of token and the user name. Is that being passed via SSL, but allow non-ssl services to be registered and consumed on the interactive maps?

Thanks for any feedback!

DavidCordes · ‎08-15-2013

HTTPS is always required with Portal, whether you use LDAP/ActiveDirectory or not. Portal automatically comes with https enabled and no way to disable it. Many pages in Portal must be read over https (such as the 'My Organization' page) and links will break if you somehow disable https after the fact. To prevent problems the web adaptor can not even be configured until https has been enabled in the web server as well.

The thing that differs with ActiveDirectory/LDAP and web tier authentication is that HTTP (unencrypted communications) must be disabled and all communications must go through https. If you were using built in users you could have HTTP enabled.

--- David

PF1 · ‎08-15-2013

HTTPS is always required with Portal, whether you use LDAP/ActiveDirectory or not. Portal automatically comes with https enabled and no way to disable it. Many pages in Portal must be read over https (such as the 'My Organization' page) and links will break if you somehow disable https after the fact. To prevent problems the web adaptor can not even be configured until https has been enabled in the web server as well.

The thing that differs with ActiveDirectory/LDAP and web tier authentication is that HTTP (unencrypted communications) must be disabled and all communications must go through https. If you were using built in users you could have HTTP enabled.

--- David

Hi David,

What we are really after is using the portal like Esri had configured on arcgis.com but use active directory for the identity store. On arcgis.com (and organization solutions) it is a built in identity provider, users login through an https channel, but the token that is generated is passed along over http (there are some risks to this such as token hijacking but those would be acceptable on our secured intranet), so that users can access http services without prompting for displaying insecure content. And yes there are some pages that require https but most users are only registering web services and adding those to the maps over non https methods.

We have tinkered over the past few days. We have successfully configured the java based web adaptor with tomcat 7 on a win 2008 server. Access to the portal with http and https configured. Identity store is ldap tied to Microsoft active directory. Users are prompted for their AD credentials on login and using the single sign on feature allows them to seamlessly pass the session id when switching to https sites such as the accessing 'my organization'.

Problem is that it is using http BASIC authentication over a non ssl pipe so user account credentials are passed as base 64 encoded clear text. A fiddler type tool and three lines of python code can decode the credentials... We have tried the http digest with no luck yet (not sure it's possible since I think it hashes the credentials before it gets to AD and AD can not unhash).

Thanks for the response.. We have switched to IWA for now since it was just simpler and we could not get tomcat/http/digest going, but users are prompted when insecure content is added (which is 99.9% of our internal services). IE does a fair job at letting the users know (so that they can accept the risk and access the insecure services) but chrome displayes a shield icon very suttly and users generally cannot figure out the work around without contacting the help desk. I will post back if I have any further successes to report. Thanks!

HessCorporation · ‎10-24-2013

Did you get an answer for this?

I want to use portal but cannot set AGS to federate or use https because it will break a number of non mapping systems that use our services to access GIS data via REST.

I notice ArcGIS Online uses https for the login page then http for the map display, that allows me to add internal services without triggering the secure content block in the browser. If there's a solution for AGOL there must be one for portal?