If an ArcGIS Web Adaptor (IIS)is installed behind a Network Load Balancer (NLB) to support a highly-available portal, it is necessary to perform additional configuration steps in IIS to ensure Integrated Windows Authentication works correctly with the deployment.
If planningto use an ArcGIS Web Adaptor (IIS) for Integrated Windows Authentication with a highly-available portal, it is necessary to perform some complex configuration steps in IIS to ensure the Web Adaptor works correctly with the highly-available portal deployment. It is recommended to review the below configuration steps to ensure the organization can support Integrated Windows Authentication in IIS.
If the Web Adaptoris installed in front of the NLB or if web-tier authentication in IIS is not being used, skip this article.
Note: The first step below must be performed by a domain administrator. Review these instructions and coordinate with an administrator so they understand the requirements for configuring the ArcGIS Web Adaptor (IIS) with a highly-available portal.
Request the domain administrator to create a new domain account and Service Principal Name (SPN), by using the commands below. The domain account name must match the host name of the NLB. Record the domain and name of the new account; this is needed in a subsequent step.
setspn -A HTTP/NLBhostname.domain.com newaccountsetspn -A HTTP/NLBhostname newaccountsetspn -A HTTPS/NLBhostname.domain.com newaccountsetspn -A HTTPS/NLBhostname newaccount
On the first portal machine hosting the Web Adaptor, open IIS Manager, expand the Server node in the Connections list, and click Application Pools.
Right-click the ArcGISWebAdaptorAppPool and select Advanced Settings.
Select the Identity property row, and click the ellipses button to open the Application Pool Identity window. Select the Custom account option and click Set… In the Set Credentials window, use the domain account created by the domain administrator (using the format domain\newaccount), and specify the password for the user. Click OK, click OK again, and click OKonce more to set the custom Application Pool Identity.
Enable Windows Authentication for the website hosting the Web Adaptor. To do this, expand the Sites node under the Server node in the Connections panel andexpand the Web Site hosting the web adaptor node. Select the name for the Web Adaptor installed to IIS node. In the middle panel under the IIS section, double-click Authentication. In the Authentication panel, right-click Anonymous Authentication and select Disable. Right-click Windows Authentication and select Enable. Ensure only Windows Authentication is enabled.
Right-click Windows Authentication and select Providers. Verify that Negotiate and NTLM are enabled, and click Cancel.
If one or both of them are not listed, select it from the list of available providers and click Add.
Right-click Windows Authentication and select Advanced Settings. Verify that Kernel-mode authentication is disabled, and click Cancel. If it is enabled, uncheck the check box next to the option.
In the Connections list, click the Web Adaptor name to view its properties panel, and in the middle panel under the Management section, double-click Configuration Editor. From the Section drop-down list, expand the system.webServer node > the security node > the authentication node, and select windowsAuthentication.
Set the useAppPoolCredentials property to True.
In the Connections panel, select the web Server name, and in the Actions panel, click Restartto apply the changes.
Close IIS Manager.
Repeat steps 2-11 on the second Web Adaptor machine. When configuring the domain account to run the Web Adaptor application pool, specify the same domain account used in step 4.
If using Microsoft Internet Explorer to access the portal, add the organization-facing portal URL to the list of Local intranet web sites. For full instructions, consult the Internet Explorer product documentation.
Note:This applies to all versions of ArcGIS Enterprise portal 10.3 through 11.0.
Integrated Windows Authentication uses the security features of Windows clients and servers. Unlike Basic Authentication or Digest Authentication, initially, it does not prompt users for a user name and password.
IWA (Integrated Windows Authentication) is considered a deprecated option for identity sources in vCenter Server. IWA uses Likewise to communicate with the AD domain, and so also uses Kerberos for authentication.
NTLM authentication is still supported and must be used for Windows authentication with systems configured as a member of a workgroup. NTLM authentication is also used for local logon authentication on non-domain controllers.
On the IIS system, select Start -> Programs > Administrative Tools -> IIS Manager. Select Properties and select the Directory Security tab. Click the Edit button next to Enable anonymous access , and edit the authentication messages for this resource.
Kerberos has been the default Windows authentication protocol since 2000, but there are still scenarios where it can't be used and where Windows falls back to NTLM.
This method leverages protocols like NTLM (NT LAN Manager) or Kerberos to authenticate users without needing them to re-enter their credentials when accessing services or applications within the Windows domain.
On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.
The Username for Windows Authentication is basically the username of the remote device's local administrator account. It is very important that a local user account is set up on the remote computer (as highlighted in yellow). You can find it under Settings ➜ Accounts ➜ Other users.
Hobby: Web surfing, Skiing, role-playing games, Sketching, Polo, Sewing, Genealogy
Introduction: My name is Maia Crooks Jr, I am a homely, joyous, shiny, successful, hilarious, thoughtful, joyous person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.