Latest Contributions by JeffSmith

I agree with what @DavidPike said.  There is no way to automatically remove users from Portal once they have been removed from A/D.  If you have a lot of users in Portal, using a Python script to return a list of users and their last login is helpful.  I'll put in a plug for the next release of Portal.  In 11.1, a new Python script is included with Portal that will identify users that no longer exist in A/D or LDAP and give you a much easier way to delete them all at once.  A report is generated so you can review what was found before deleting them.  If any of those old users own any items, a separate list is generated so you can do a bulk transfer of all the items to a different user prior to deleting them. ... View more

Yes, we do plan on providing a fix for this for 10.9.1 as a part of the next Portal security patch.  We are hoping to have this available by early March. ... View more

Version B of this Portal for ArcGIS patch for 11.0 has just been released.  It may take a little while to be listed in the Patch Notification tool, but it can be downloaded from the patch page. https://support.esri.com/en/download/8070 ... View more

Yes, there were some enhancements in 10.9.1 to validate the certificate used in the Server admin url.  We didn't do this in 10.7 and while things still worked, there were some workflows that would fail if Portal did not trust the Server admin url certificate. Since you are receiving that error message, I would double-check that the root certificate and any intermediate certificates from the CA that signed your wildcard cert are imported into the portaladmin api under sslCertificates/importRootOrIntermediate.  Once imported, make sure the Portal service restarts for the new certs to take effect. ... View more

@Jay_Gregory- Once support for SAML based groups was added to ArcGIS Enterprise around release 10.7, that became the recommended workflow.  Technically using SAML for logins and LDAP for enterprise groups should still work though.  A couple of things to double-check: * The username attribute used by SAML (corresponding to the "Name ID") needs to match the "usernameAttribute" specified in the group store configuration json string.  If you are connecting to Active Directory, this is usually "sAMAccountName". * In the SAML login configuration in Portal, make sure the option to "Enable SAML based group membership" is disabled in the advanced settings.  Since you want to use LDAP to manage group membership, you want to make sure Portal is not expecting groups to be passed in the SAML assertion. ... View more

@MarGIS, I can't say for 100% that it is not supported but I have never seen one on Linux and from what I have read, if it were possible, it would not be straight-forward.  I know you can federate a Linux server with AD but I'm not sure how Linux would utilize a gMSA without explicitly providing the password. ... View more

I'm not aware if gMSA accounts are supported on Linux in general, let alone in ArcGIS Enterprise on Linux.  Is there a tool or utility you've used to utilize gMSA accounts from Linux? ... View more

No, as of right now there are no plans to release a python script for the 1.x mitigation similar to what was done for 2.x. ... View more

Hi Dean, No, Esri has not released an official mitigation script to address any of these log4j 1.x vulnerabilities.  That being said, we are actively working on patches for all components of ArcGIS Enterprise that will update the log4j 2.x jar files to 2.17.1 and remove the vulnerable classes from the log4j 1.x jar files.  We can't provide a release date for them but they are taking the highest priority right now. As you and Randall have mentioned, there are dependencies on some of the log4j 1.x so those jar files cannot just be deleted and replaced with the 2.x jar files.   ... View more