Community

MFA in Portal with Portal-tier authentication (both built-in users and enterprise windows AD users)

478
4
Jump to solution
02-06-2024 07:56 AM
Labels (1)
Labels
AndreaB_
by
Occasional Contributor II
‎02-06-2024 07:56 AM

Hello all,

I am setting up a new environment - ArcGIS Enterprise 11.1 with federated server. I am using Portal-tier authentication so we have both Portal built-in users and enterprise Windows AD users (IWA with anonymous access in IIS). some info on that: https://enterprise.arcgis.com/en/portal/11.1/administer/windows/about-configuring-portal-authenticat... 

I am researching forcing MFA in Portal. https://enterprise.arcgis.com/en/portal/latest/administer/windows/configure-security.htm#MULTIFACTOR 

https://www.esri.com/arcgis-blog/products/arcgis-online/administration/configure-multifactor-authent...

If I enable MFA in Portal - does that mean that all of the AD users that sign in like domain\username will have to use MFA? (or does this not affect the domain users?)

We have a website tab that, for it's map, uses the ArcGIS Maps SDK for JavaScript. I'm not a website developer so I couldn't tell you exactly how that works. I do know that it uses a username and password to access the Portal to get the map/feature service. There is a domain service account and a Portal built-in account it could use. How would MFA affect this?

Thank you! I appreciate any insight.

0 Kudos
1 Solution

Accepted Solutions
ReeseFacendini
by Esri Regular Contributor
Esri Regular Contributor
‎02-06-2024 10:33 AM

MFA will only be applied to built-in users, not AD users. If the JavaScript app is directing to Portal for the sign-in function, the MFA code would be required before the sign-in can be completed. There's no extra steps needed on the app side to allow for this.

If MFA needed to be applied to AD users as well, the saml option for authentication would need to be configured, and then the saml provider (Azure AD, Okta, ADFS, etc.) can be set up to require MFA every time during the sign-in process

View solution in original post

4 Replies
ReeseFacendini
by Esri Regular Contributor
Esri Regular Contributor
‎02-06-2024 10:33 AM

MFA will only be applied to built-in users, not AD users. If the JavaScript app is directing to Portal for the sign-in function, the MFA code would be required before the sign-in can be completed. There's no extra steps needed on the app side to allow for this.

If MFA needed to be applied to AD users as well, the saml option for authentication would need to be configured, and then the saml provider (Azure AD, Okta, ADFS, etc.) can be set up to require MFA every time during the sign-in process

AndreaB_
by
Occasional Contributor II
‎02-06-2024 12:48 PM

Hi @ReeseFacendini ,

Thank you! The documentation was confusing so thanks for clearing that up.

I also realized that Portal 11.1 only gives the users the option to set up MFA, there is no ability to enforce MFA (force the users). The ability to enforce MFA is only in AGOL at this time. https://www.esri.com/arcgis-blog/products/arcgis-online/administration/configure-multifactor-authent... 

0 Kudos
BillFox
by MVP Frequent Contributor
MVP Frequent Contributor
‎02-06-2024 01:34 PM

do you plan to use this too?

Use your portal with LDAP or Active Directory and portal-tier authentication

https://enterprise.arcgis.com/en/portal/11.1/administer/windows/use-your-portal-with-ldap-and-portal...

 

0 Kudos
AndreaB_
by
Occasional Contributor II
‎02-07-2024 08:46 AM

Hi @BillFox,

Yes, correct. I have configured the portal with Active Directory identity store and enabled anonymous access through the web adaptor in IIS.

0 Kudos