Overview
- An on-premises VertiGIS Studio product is configured to use a Portal for login.
- The Portal is configured to use Integrated Windows authentication for user sign-in.
- A user launches the on-prem VertiGIS Studio product which redirects to a Portal login page or endpoint.
- They sign in to Portal automatically, due to Integrated Windows authentication on the web tier.
- Portal issues a login token to the user.
- The VertiGIS Studio product then tries to use that token to get additional info from the Portal.
- Windows authentication on the Portal Web Adaptor authenticates the VertiGIS Studio product as its app pool user (or computer account), which is not the user who signed in.
- This token is no longer valid - the Windows identity from the Web Adaptor does not match the one encoded in the token.
To avoid this issue, we have developed the Geocortex Web Adaptor Extensions. This ASP.NET extension will process incoming requests to the Portal Web Adaptor, and if the windows identity of a request is recognized as a VertiGIS Studio product, the identity is cleared so that we can successfully issue a request on behalf of the Portal user.
Installing the Geocortex Web Adaptor Extensions
- Download the Geocortex Web Adaptor Extensions using the download link on this article. Make sure the ZIP is not blocked by the operating system after you download.
- Unzip the archive, ensuring that it's not blocked by your operating system.
- Navigate to the folder containing your Web Adaptor. This is a folder in the web root of the Web Adaptor server, by default: C:\inetpub\wwwroot\[webadaptorname].
- Create a new folder called bin in this folder.
- Install (copy) the assembly into the newly created /bin directory.
- Create a local Windows group named "ArcGIS Web Adaptor Trusted Service Accounts" on the server that hosts the Portal Web Adaptor.
- Add the application pool identities to the group you just created.
- If the Web Adaptor and the VertiGIS Studio products are installed on the same machine and you have not changed the default application pool identities, add these (for Essentials, Essentials Manager, Printing, Printing pre-Feb 2022 installation, Reporting, Reporting pre-Feb 2022 installation, Workflow, or Workflow pre-Feb 2022 installation respectively):
IIS AppPool\EssentialsAppPool4
IIS AppPool\EssentialsAdministrationAppPool4
IIS AppPool\VertiGISStudioPrinting
IIS AppPool\GeocortexPrinting
IIS AppPool\VertiGISStudioReporting
IIS AppPool\GeocortexReporting
IIS AppPool\VertiGISStudioWorkflow
IIS AppPool\GeocortexWorkflow
- If any application pools have been configured to run as a domain service account instead of the default "ApplicationPoolIdentity", add:
DOMAIN\ServiceAccount
- If the VertiGIS Studio products are installed on a different machine(s) than the Web Adaptor and you have not changed the default application pool identities, add:
DOMAIN\MachineName$
- If the Web Adaptor and the VertiGIS Studio products are installed on the same machine and you have not changed the default application pool identities, add these (for Essentials, Essentials Manager, Printing, Printing pre-Feb 2022 installation, Reporting, Reporting pre-Feb 2022 installation, Workflow, or Workflow pre-Feb 2022 installation respectively):
- Restart the machine that is running the VertiGIS Studio applications that are attempting to connect to the ArcGIS Web Adaptor.
- This is required when adding a user to a local group. The user must be logged out and back in to be recognized as a member of that group.
- When the Web Adaptor authenticates the user, the Windows identity will be removed and any supplied token will be used for authentication.
Note
Because the extension removes the identity of the app pool user, that app pool user won't be able to sign in to the Portal through the Web Adaptor. If they try, they're going to be mysteriously locked out of the portal! To use this extension, configure your Geocortex applications pools to use server or appliance (non-login) identities.
Comments
0 comments
Article is closed for comments.