Latest Contributions by DavidHoy

When federating from the Portal’s “Servers” page, you are asked to supply two.URLs : service URL and administrative URL in most cases (as per the blog document) these can be the same. It is the route via the Load Balancer, including the “context”. ... View more

The documentation in this link re load  balancers should have all the info you need. i would be adding your Portal as a target group (backend pool) behind your load balancer - just with a single node in the “portal” pool. This way the load balancer is just acting as a reverse proxy for your portal.  you haven’t said whether you are using web adaptors or what type of load balancer, so hard to be specific.  the advantage of using the same LB for portal and server is that you will have one front end FQDN in the URLs for both the portal and the server site. If using WAs, it is trivial to identify which incoming requests should be directed to the portal backend (https://yourdnsname/portal/*) and which should go to the server (https://yourdnsname/arcgis if your server’s VMs are using WAs called “arcgis”. if not using WAs it is a trickier set of rules to look for in the incoming request (arcgis /home, /arcgis/sharing, /arcgis/portaladmin as a starter set) ... View more

@LaurePillet2  did you ever resolve this? ... View more

Hi Grant i believe you don't need to have the https://    and you certainly don't need the full URI including webadaptorname can you try *.domain.com ?  - that would be a typical entry see What you can do, should do and should NOT do with GPOs: Internet Explorer site to zone assignments - is it valid and why not? (evilgpo.blogspot.com)  for a few tips on what can go in the list of trusted sites. ... View more

and it is the portal web adaptor URL you have added to your list of trusted sites? It needs to be that, even if you are trying to get to the server pages, as that's what federation does - authentication is handled by the way the portal is configured. your symptom that SSO works when you go to IIS by machine name but not when you use the alias seems to be saying that alias is not in the list of "trusted sites". but your local machine name is recognised as being in "local intranet" zone. ... View more

Grant, sorry to ask, but to be clear Did you also check the box in Custom Settings for "Trusted Site"/"Local Intranet" to allow "Automatic logon with current user name and password"? As Chris P pointed out in earlier post in this discussion. This is a CLIENT SIDE setting that you may need to get pushed to all users via a Group Policy setting once you have shown it works for the machine from which you are testing.   ... View more

Hi @EsriEvan  any update on a potential workaround if ARR is used to reverse proxy the AM Server? ... View more

I don't have personal experience with stopping/starting AGW v2 or with the scaling options, so I am interested to hear the results of your testing Si. @ShanonLoughton may have experience or opinion? In another site, we dropped back to simple Load Balancer sharing to Web Adaptors - this allows simple context based routing with a single front end URL and is way cheaper and easier to deploy manually than using AGW. I like Web Adaptors - when I hear people saying they are a bottleneck, I think they are likely blaming the bad performance of underlying services on an innocent party. ... View more

ok - I just did some testing in my sandbox username does not change - just the property called IDPUsername content is still owned by the original username I confirmed by looking in the portal/sharing/rest/community/users/<username> directory where these properties are listed ... View more

Hi Dean -  I presume this keeps the internal user identifier, so content ownership and group membership would remain unaffected. But does the username shown in the Profile and Item ownership say remain unchanged (i.e. is the IDP username effectively an Alias - only used when authenticating?) ... View more

If you just switch to using SAML login, you are correct that new users may appear in your Portal for the <usrname>@domain.net username provided by Azure AD as they start to login (if you have automatic user creation enabled) There is no back-door way to update existing users to have a new username. You will need to transfer any content owned by the existing usernames <usrname>@domain to be owned by the new names. We have handled this by scripting - create the new users and assign the new users the appropriate type and role - assign the new usernames to the Groups to match the old username - transfer ownership of any Portal items to the new user - disable the existing Username (remove in future) Once this is complete, the first time a user logs in via SAML, they will find their new username is in place You cannot have IWA and SAML working at the same time, so User Store Configuration and Group Store configuration cannot be "WINDOWS" ... View more

hi Vijay, your plan is sound - a split-zone dns arrangement would certainly allow the ArcGIS Enterprise to work for external and internal users. There are many forms of DNS, so, it is difficult to provide instructions here unless you can be more specific. A bit of web searching for the doc for your particular DNS provider should get you there. If you cant work it out - it is not a critically bad thing to allow your internal users to have everyone have the FQDN resolve to the Reverse Proxy. ... View more

Hi Ryan as you are about to discover, ArcGIS Enterprise is quite a different beast to Standalone ArcGIS Server. If you are thinking of using webgisdr - I presume you are aware that this backs up all the tiers (Portal, all Federated Servers and ArcGIS Data Stores), you may find you are getting a larger and slower backup than you anticipate. Aside from that - very interesting method to speed up file access by pre-warm-up. You may find this is a good idea for FSx fileshares too. Have you considered using a UNC path and DNS alias for Fileshare used for Server config and directories? This may allow easy change to a newly recreated FSx share without needing to worry about updating any existing service configurations that are linked to data paths.   ... View more

@DMH_Hobart  Dean, the code I provided wasnt quite right - I will test and provide update shortly ... View more

Hi Dean,  you can retrieve the info about publication from from the sharing REST endpoint e.g. https://<portal-fqdn>/portal/sharing/rest/content/items/<item-id> You can search for the item representing your service at  https://<portal-fqdn>/portal/sharing/rest/search programmatically - the reference is here. https://developers.arcgis.com/rest/users-groups-and-items/item.htm items/[itemID]: Item—ArcGIS REST APIs | ArcGIS Developers   ... View more