Scheduling Tasks That Access Portal Data

DavidSolari

I'm going over how my team manages scheduled tasks and I'm running into a roadblock. We have a number of tools that need to run directly against feature services, which means Pro needs credentials for the portal they're hosted and registered in. The issues is that Pro doesn't keep a user signed in indefinitely, so I have to go through every machine that runs these tasks and sign out then in to refresh the credentials. Consolidating every task to a single machine and service account simplifies this process but ideally I want a solution that doesn't need regular checkups like this.

Has anyone found a good solution for keeping Pro credentials refreshed? Alternatively, is there a reliable way for tasks to access portal data without relying on Pro's current account?

JoshuaBixby

Not having multi-factor definitely simplifies it, albeit at the price of less security. Have you thought about using SignInToPortal- ArcGIS Pro | Documentation in the code to ensure tokens are refreshed/renewed before running tools? The tool works with Integrated Web Authentication (IWA), or you could try using Windows Credential Manager.

View solution in original post

JoshuaBixby

Have you read through all of Types of authentication | Documentation | Esri Developer? The introduction of API key authentication at 11.4 really streamlined personal automation scripts.

DavidSolari

This looks fantastic for scripts that use the Python API and REST APIs but I don't think it's suitable for my case. I need to schedule Modelbuilder models and/or script tools that primarily use arcpy. These tools will need to access geodatabase items through a file path or EGDB connection as well as feature services via URL and they need to function as user-driven toolbox tools as well as scheduled tasks via the Python wrappers Pro creates. The developer info doesn't mention anything about traditional Desktop workflows and limits like "must refresh and replace the keys" or "can only access up to 100 owned items" are also a non-starter. In a perfect world the only maintenance required in the process is reauthenticating on the machine that runs the tasks any time we change the password for our scheduled tasks account and then everything flows from that.

That said, this is much better than our current solution for outside apps that integrate with our Portal so I'll dig into this once my team does the next Enterprise upgrade, thank you!

JoshuaBixby

Make sure to read Specify the maximum token expiration time - Portal for ArcGIS | Documentation for ArcGIS Enterprise, it covers default and maximum timeframes for various tokens used to connect to Portal and services. Allowing up to 14-days for some of the tokens is fairly generous from a security standpoint. As convenient as months-long refresh tokens would be, they would represent a security risk that I doubt many system security officers would be willing to live with.

JoshuaBixby

How is Portal authentication happening, built-in accounts or an identity provider?

DavidSolari

Right now the accounts are the ones linked to our AD (I think that's the Identity Provider type) but we need to spin up a new account eventually so we can switch to a built-in account if that works better.

JoshuaBixby

Are the AD logins username/password or PIV/smartcard, i.e., single or multi-factor logins?

DavidSolari

Just username/password. I think we'll have to use 2FA eventually due to Azure rules but it's currently not enabled.

JoshuaBixby

Not having multi-factor definitely simplifies it, albeit at the price of less security. Have you thought about using SignInToPortal- ArcGIS Pro | Documentation in the code to ensure tokens are refreshed/renewed before running tools? The tool works with Integrated Web Authentication (IWA), or you could try using Windows Credential Manager.

DavidSolari

At first glance this looks like the magic bullet, I'll get my hands on a built-in account and report my findings once I have time to test this