How To: Authenticate with IWA or PKI on Portal for ArcGIS using Internet Explorer
In deployments where the web adaptor for Portal for ArcGIS and the IBM Cognos Gateway are not on the same domain, cross-origin (cross-domain) requests must be made from Esri Maps for IBM Cognos to Portal for ArcGIS. Because the default security settings in Internet Explorer do not allow cross-origin requests, the Esri Maps for IBM Cognos internal proxy (em4c.cgi) is configured to perform these requests when Internet Explorer is used.
This default configuration does not work when Portal for ArcGIS is configured with Integrated Windows Authentication (IWA) or Public Key Infrastructure (PKI). In the case of IWA, this is because the browser must use IWA to pass credentials. In the case of PKI, the browser must use PKI to validate the web server certificate against the certificate authority root certificate. To authenticate with PKI or IWA on Portal for ArcGIS using Internet Explorer, override the internal proxy and configure Internet Explorer to allow cross-origin requests.
This solution involves overriding the internal proxy using the neverUseProxy setting in settings.js and configuring Internet Explorer to allow cross-origin requests. Internet Explorer provides a series of security zones that allow specification of security options for different types of web content. A zone consists of a collection of web sites that are assigned the same level of trust. Each zone contains various security settings. The Access data sources across domains security option specifies whether components that access data are allowed to do so if that data is served from a different domain. Access to data sources across domains can be enabled for the Local Intranet zone. Before beginning, have the following information ready.
- The URL of the Portal for ArcGIS deployment
- The URL for the IBM Cognos Gateway
- The URL(s) for any ArcGIS for Server(s) hosting services that are available to users in Esri Maps for IBM Cognos
- On the EM4C Gateway, open settings.js in a standard text editor such as Notepad++. This file is found in the following location on each EM4C Gateway in your environment: <em4c_location\webcontent\esrimap\configuration\settings.js
- In settings.js, set the arcgisAuthType to user, as follows:
- Set the arcgisUrl to the fully qualified URL for Portal for ArcGIS. For example: arcgisUrl: “https://myportal.mycompany.com/gis”,
- Edit the corsEnabledServers setting to add the URLs of the portal and ArcGIS servers separated by commas as follows: corsEnabledServers:[“myportal.mycompany.com”, “myArcGISServer.mycompany.com”],
- Add the neverUseProxy setting to the end of the file as follows:
- Save and close settings.js.
Note: This setting must be added to each settings.js file on each EM4C Gateway in your environment. The settings must be identical on all gateways.
- Open Internet Explorer.
- In Internet Explorer, choose Tools > Internet Options.
- From the Internet Options window, click the Security tab. The Security tab lists the various security zones that can be customized.
- Select the Local intranet zone and click Sites.
- On the Local Intranet window, click Advanced.
The Local Intranet sites window opens, listing the sites included in this zone.
- Add all resources to be accessed from Esri Maps for IBM Cognos, as follows:
- The URL for the IBM Cognos Gateway
- The URL for Portal for ArcGIS (same as the URL specified in settings.js)
- The URL(s) for any ArcGIS for Server(s) hosting services that will be accessible to users in Esri Maps for IBM Cognos
Note: All URLs must be defined and accessed using the HTTPS protocol because SSL is required for IWA/PKI. All URLs must be defined and accessed using the server's fully qualified domain name.
- When finished adding URLs, click Close and click OK to close the Local Intranet window and return to the Internet Options > Security tab.
- With the Local intranet zone selected, click Custom Level.
- The Security Settings window for the Local intranet zone opens. Scroll down to the Miscellaneous > Access data sources across domains option and select Enable.
- Click OK to close the Security Settings window and return to the Internet Options > Security tab.
- Click OK to close the Internet Options.
The browser must be restarted for changes to take effect.
Note: Network administrators must modify group policies to apply the above settings across the organization. If problems occur while implementing this solution, another option is to host the Portal for ArcGIS web adaptor on the same server as the EM4C Gateway. For this solution, configure the Portal for ArcGIS web adaptor and the EM4C Gateway to be served from the same origin so cross-origin requests are not required. This means they must be on the same host, domain, and port, and use the same protocol.