WAB applications after Portal federation

ShawnBowers · ‎10-05-2016

We have several WAB applications that work on anonymous access through Portal and don't use secure services. The plan is to federate our Portal with Server to host tile layers. When I federate through Portal all of our apps then prompt for login credentials. Has anyone run into this issue before? Here is the layout and settings:

Server 10.4.1 on Machine A

Web Adaptor 10.4.1 on Machine A for (Portal,http,https)

Portal 10.4.1 on Machine B

Server and Portal configured for http and https

Portal configured for anonymous access

All three web adaptors enabled anonymous access in IIS on Machine A

All maps and resources shared to "Everyone" on Portal

DerekLaw · ‎10-05-2016

Hi Shawn,

What security model is your Portal configured for? Built-in identity store? IWA? SAML?

And you have 3 Web Adaptors, to confirm: you have 1 configured with Portal and the other 2 configured with the GIS Server, is that right?

ShawnBowers · ‎10-05-2016

We are using Built-in for the security model. And yes, 1 configured for Portal, 1 for Server http and 1 for Server https.

DerekLaw · ‎10-05-2016

Hi Shawn,

Still trying to get a clear picture of your deployment,

Are you using Web AppBuilder that is embedded within Portal for ArcGIS, or are you using Developer Edition?
And you've already federated your Server site with Portal, correct?
Were the apps created BEFORE your federated the Server site? And they were working without requiring a login?
Then after you federated the Server site, now when you try and access the apps they are prompting for a login, is that right?
I know your apps are not using any secured web services, but what was the security model set for the Server site before federation?
Also, you made the web apps shared with 'everyone' as well, right?

ShawnBowers · ‎10-05-2016

Hi Derek, thanks for the assist here.

We are using WAB Developer version 2.1.

I federated and then had to back out when users were prompted for login credentials.

All of the apps were created before federation.

Yes, after federation the apps are prompting for logins.

The security model before federation was Windows domain for users and ArcGIS Server for roles. When I backed out of federation this reverted ArcGIS Server to ArcGIS Server Built in for both.

Yes, all web apps are shared with "Everyone".

I didn't have time to check all of the maps and content after federation since this is a production environment but would I need to go back and re-share everything again after I federate?

DerekLaw · ‎10-05-2016

Hi Shawn,

Just for context: when you federate a Server site with Portal for ArcGIS, you're switching the security model for the Server site to use the security model that's been configured for Portal. Typically you would want to do this BEFORE you create web apps using resources from both the Server site and Portal.

Also, web services that existed in the Server site before you federated with Portal, will automatically have Portal items created for them in Portal when you federate the Server site. These new Portal items (where each web service will become a unique item in Portal) will be owned by the admin who performed the federate operation and will be private by default. Have these Portal items that represent the web services that existed in the Server site before federation been shared with "everyone"?

When you created the web maps (that your Web AppBuilder web apps are built on), when you added the web services that existed in the Server site - did you directly reference their REST endpoints? OR, had you registered the web services with Portal, and added them via their Portal item URLs? If the former, perhaps the "new Portal items" (that I reference in the previous paragraph) may be causing the prompt for login credentials.

Hope this helps,

ShawnBowers · ‎10-06-2016

I suspect you are right with the service urls. In most of our maps we have a mix of directly added service urls and registered web services from Portal. When you federate how does it deal with services that have already been added and registered through a url to Portal? Does it replace it or duplicate it?

I'm thinking we will have to go through the federation then I will have to re-share each service again. What I'm hoping not to have to do is redo every one of the 15+ web maps to add the services. If I do need to update the service urls in the map could I just use the ArcGIS Online Assistant tool?

DerekLaw · ‎10-06-2016

Hi Shawn,

> When you federate how does it deal with services that have already been added and registered through a url to Portal? Does it replace it or duplicate it?

Portal will "duplicate" the items.

> If I do need to update the service urls in the map could I just use the ArcGIS Online Assistant tool?

I haven't tested this workflow, so I am not sure. Maybe. Suggest you give it a try - but I don't know if it will work.

Hope this helps,

ShawnBowers · ‎10-10-2016

Derek, I did get federation configured correctly. I used the Portal Admin account to do the actual federation and then shared all of that account's content with "Everyone". This allowed users to see the maps without the prompt for credentials.

No additional configuration of the service urls was needed for the existing maps. And, as an added bonus the pre-existing services do not show up in the "Add Data" widget for our maps. This was a concern for us since services don't always have the most appropriate name for end users.

Thank you for your help on this issue!

DerekLaw · ‎10-10-2016

Hi Shawn,

I'm happy to hear that your issue is resolved.