IWA with a Federated ArcGIS Server

332
3
Jump to solution
02-13-2024 05:03 PM
NathanHeickLACSD
Occasional Contributor III

If you set up your portal with IWA and then federate a GIS server with it, does windows authentication automatically work without toggling the authentication method in IIS?  It seems to be working through both the web adaptor and port 6443 immediately after federating without enabling Windows authentication in IIS or disabling anonymous authentication.  How does that work?

0 Kudos
1 Solution

Accepted Solutions
hlindemann
New Contributor III

Hi @NathanHeickLACSD,

When you federate the portal takes over security, it does this by writing your portal dns e.g. https://dns.com/portal in your security configs, so when you hit https://dns.com/server/manager or  https://dns.com:6443/argis/manager this then authenticates against the https://dns.com/portal DNS which is setup to use IWA, you will see that for https://dns.com:6443/argis/admin you do not get clanged, as this does not authenticate through portal.

Regards

Henry

View solution in original post

0 Kudos
3 Replies
hlindemann
New Contributor III

Hi @NathanHeickLACSD,

When you federate the portal takes over security, it does this by writing your portal dns e.g. https://dns.com/portal in your security configs, so when you hit https://dns.com/server/manager or  https://dns.com:6443/argis/manager this then authenticates against the https://dns.com/portal DNS which is setup to use IWA, you will see that for https://dns.com:6443/argis/admin you do not get clanged, as this does not authenticate through portal.

Regards

Henry

0 Kudos
NathanHeickLACSD
Occasional Contributor III

Thanks, @hlindemann.  I really appreciate your knowledge.  To take it further, does this mean that if you disable the PSA, the only way to access the server admin URL is to generate a token through the portal.  I tried that mechanism and I was successful.  Finally, is there any benefit or harm in turning on Windows authentication for the server web adaptor?

Thanks,
Nathan

0 Kudos
hlindemann
New Contributor III

Hi @NathanHeickLACSD , on the PSA yes that is correct, 

On the IWA the benefit would be that once you configure internet option for your users, they will be auto logged in, if you setup auto account creation then this can be quite useful in a large organization, because you can just hit the URL and create the account.

Downside,

The downside comes in when you have public apps the general public will not be able to access these Apps because they get the IWA challenge, in this case it would be more beneficial to setup something like SAML, you can have the benefit of SSO and the flexibility of being able to share apps public, and if you have office365 you already have the capability to setup SAML.

 

Regards

Henry

0 Kudos