Select to view content in your preferred language

Portal Tier Authentication with Windows Active Directory Accounts in Highly Available ArcGIS Enterprise

1946
4
Jump to solution
07-21-2021 03:51 PM
BenjaminBlackshear
Regular Contributor

I have deployed ArcGIS Enterprise 10.8.1 and configured it for high availability. I have a few questions to ensure the deployment is configured correctly as I am trying to use a setup that isn't mentioned in any of the deployment patterns.
I am using a slightly modified version of this deployment pattern:

BenjaminBlackshear_0-1626907300050.png

Machine 1 is running portal (primary), server, data store (primary), and 2 web adapters (portal and server)
Machine 2 is running portal (secondary), server, data store (secondary), and 2 web adapters (portal and server)
The two ArcGIS Server installations have been joined and are operating as one site which is federated with the portal using the load balancer url.


I am not planning to use IWA with my highly available portal, I want to use Active Directory accounts with portal authentication as described here: https://enterprise.arcgis.com/en/portal/10.8/administer/windows/use-your-portal-with-ldap-and-portal...

I have not seen this configuration described in any of the high availability documentation or deployment scenarios, is this supported for highly available deployments? It is working fine now, I just want to confirm that it will not create problems later or expose me to any security risks.

0 Kudos
2 Solutions

Accepted Solutions
Todd_Metzler
Frequent Contributor

My configuration is the same as yours except the high availability.  Has been working just fine for over a year.  Run PortalScan and ServerScan and address any reported security issues that concern you.

TIP:  Work closely with your Active Directory Administrator to ensure the advertised attributes for named users conform to the structure expected by ArcGIS Enterprise.  In my config, we advertise user.name@domain instead of user.name@email.com(net)(gov)(...).  That initially caused ArcGIS Enterprise sign in confusion for our users.  What I did to address that was standardize the sign in to user.name@domain in every component of ArcGIS including AGOL and web mobile apps. 

View solution in original post

DavidHoy
Esri Contributor

Hi Benjamin

yes your HA configuration will work fine.

Todd's suggestion is useful in specific AD configurations - check with your organisation's AD Administrator to be sure.

View solution in original post

4 Replies
Todd_Metzler
Frequent Contributor

My configuration is the same as yours except the high availability.  Has been working just fine for over a year.  Run PortalScan and ServerScan and address any reported security issues that concern you.

TIP:  Work closely with your Active Directory Administrator to ensure the advertised attributes for named users conform to the structure expected by ArcGIS Enterprise.  In my config, we advertise user.name@domain instead of user.name@email.com(net)(gov)(...).  That initially caused ArcGIS Enterprise sign in confusion for our users.  What I did to address that was standardize the sign in to user.name@domain in every component of ArcGIS including AGOL and web mobile apps. 

BenjaminBlackshear
Regular Contributor

Thanks Todd!

@DavidHoycan you confirm that this is supported for highly available deployments as well?

0 Kudos
DavidHoy
Esri Contributor

Hi Benjamin

yes your HA configuration will work fine.

Todd's suggestion is useful in specific AD configurations - check with your organisation's AD Administrator to be sure.

BenjaminBlackshear
Regular Contributor

Great, thanks for your help!

0 Kudos