How To: Configure Integrated Windows Authentication with a highly-available portal
If an ArcGIS Web Adaptor (IIS) is installed behind a Network Load Balancer (NLB) to support a highly-available portal, it is necessary to perform additional configuration steps in IIS to ensure Integrated Windows Authentication works correctly with the deployment.
If planning to use an ArcGIS Web Adaptor (IIS) for Integrated Windows Authentication with a highly-available portal, it is necessary to perform some complex configuration steps in IIS to ensure the Web Adaptor works correctly with the highly-available portal deployment. It is recommended to review the below configuration steps to ensure the organization can support Integrated Windows Authentication in IIS.
If the Web Adaptor is installed in front of the NLB or if web-tier authentication in IIS is not being used, skip this article.
Note: The first step below must be performed by a domain administrator. Review these instructions and coordinate with an administrator so they understand the requirements for configuring the ArcGIS Web Adaptor (IIS) with a highly-available portal.
- Request the domain administrator to create a new domain account and Service Principal Name (SPN), by using the commands below. The domain account name must match the host name of the NLB. Record the domain and name of the new account; this is needed in a subsequent step.
setspn -A HTTP/NLBhostname.domain.com newaccount setspn -A HTTP/NLBhostname newaccount setspn -A HTTPS/NLBhostname.domain.com newaccount setspn -A HTTPS/NLBhostname newaccount
- On the first portal machine hosting the Web Adaptor, open IIS Manager, expand the Server node in the Connections list, and click Application Pools.
- Right-click the ArcGISWebAdaptorAppPool and select Advanced Settings.
- Select the Identity property row, and click the ellipses button to open the Application Pool Identity window. Select the Custom account option and click Set… In the Set Credentials window, use the domain account created by the domain administrator (using the format domain\newaccount), and specify the password for the user. Click OK, click OK again, and click OK once more to set the custom Application Pool Identity.
- Enable Windows Authentication for the website hosting the Web Adaptor. To do this, expand the Sites node under the Server node in the Connections panel and expand the Web Site hosting the web adaptor node. Select the name for the Web Adaptor installed to IIS node. In the middle panel under the IIS section, double-click Authentication. In the Authentication panel, right-click Anonymous Authentication and select Disable. Right-click Windows Authentication and select Enable. Ensure only Windows Authentication is enabled.
- Right-click Windows Authentication and select Providers. Verify that Negotiate and NTLM are enabled, and click Cancel.
- If one or both of them are not listed, select it from the list of available providers and click Add.
- Right-click Windows Authentication and select Advanced Settings. Verify that Kernel-mode authentication is disabled, and click Cancel. If it is enabled, uncheck the check box next to the option.
- In the Connections list, click the Web Adaptor name to view its properties panel, and in the middle panel under the Management section, double-click Configuration Editor. From the Section drop-down list, expand the system.webServer node > the security node > the authentication node, and select windowsAuthentication.
- Set the useAppPoolCredentials property to True.
- In the Connections panel, select the web Server name, and in the Actions panel, click Restart to apply the changes.
- Close IIS Manager.
- Repeat steps 2-11 on the second Web Adaptor machine. When configuring the domain account to run the Web Adaptor application pool, specify the same domain account used in step 4.
If using Microsoft Internet Explorer to access the portal, add the organization-facing portal URL to the list of Local intranet web sites. For full instructions, consult the Internet Explorer product documentation.