Community
Select to view content in your preferred language

Cannot login to our portal from pro after configuring adfs

1882
6
01-25-2018 06:09 AM
DarrenHaag
by
New Contributor III
‎01-25-2018 06:09 AM

We are currently testing adfs 3.0 on our internal portal.  Works fine to access it through any browser using my Active Directory log in.  (I'm allowing both AD and Portal managed logins until we get any problems worked out)

I can also log in to our portal through ArcGIS Pro using my Portal managed username and password.  Our ArcGIS Pro license is still managed by AGOL so there aren't any licensing issues.

However, when I try to login to our portal through PRO using my AD credentials I get the following page after entering in my email and password:

I'm guessing I'm just missing some IIS setting or maybe a setting in adfs, I just don't know what it is.

0 Kudos
6 Replies
DarrenHaag
by
New Contributor III
‎01-25-2018 06:10 AM

I should also note we are running 

Server 10.5.1

Portal 10.5.1

Pro 2.1

0 Kudos
ThomasColson
by MVP Frequent Contributor
MVP Frequent Contributor
‎01-25-2018 06:41 AM

How big is your AD forest? ADFS is essentially unusable with Portal if you have more than a few thousand users in the domain. And what are your ssl settings? ADFS -> Portal is very sensitive to cert properties. If you are using SSL, does your cert have a SAN property set that resolves to the FQDN of the web adpater?

0 Kudos
DarrenHaag
by
New Contributor III
‎01-25-2018 09:32 AM

Thanks for the reply!

Our organization is around 900-1000

Our SAN property is *.orgname.org, orgname.org

I have had no problem logging into our portal site through the actual portal website.  (go to site, log in using orgname's credentials, enter in org email and password, connected)  And I have run a test on other software using adfs when logged out of the portal(cache, cookies cleared, etc...).  I can view our secured portal web services in the other software that uses adfs as a login without being prompted to login.

The issue is when trying to log in to the portal with organization credentials with portal.  I would think the adfs integration with portal would affect everything and not just ArcGIS Pro.

But, I'm also not an IT guy, so I don't know the complete in's and out's of the settings.

0 Kudos
ThomasColson
by MVP Frequent Contributor
MVP Frequent Contributor
‎01-25-2018 09:43 AM

can you run fiddler or wire shark while logging on? The IE page indicates that https traffic from Pro to PTL is being blocked. 

0 Kudos
DarrenHaag
by
New Contributor III
‎01-25-2018 12:02 PM

Yeah,  running Fiddler, but I don't really know what all the messages mean.

Connecting PRO through the portal managed logins doesn't spit out any errors.

When trying to connect through the adfs login:

1:  /portal/sharing/rest/oauth2/saml/authorize   HTTP/1.1 302 Found

2:  Tunnel to adfs server  HTTP/1.0 200 Connection Established

3: adfs server:   /adfs/ls/?SAMLRequest=blahblahblah  HTTP/1.1 302 Found

*Errors start

4: adfs server:   /adfs/ls/wia?SAMLRequest=blahblahblah HTTP/1.1 401 Unauthorized

5: adfs server:   /adfs/ls/wia?SAMLRequest=blahblahblah HTTP/1.1 401 Unauthorized

6: adfs server:   /adfs/ls/wia?SAMLRequest=blahblahblah HTTP/1.1 400 Bad Request

0 Kudos
ThomasColson
by MVP Frequent Contributor
MVP Frequent Contributor
‎01-25-2018 12:39 PM

There is some dark magic occurring with your ADFS configuration, but can only be solved by your AD admin. Suggest getting him, and Tech Support, on a conference call.....suspect it's an issue with your ssl certificate. 

0 Kudos