When Portal for ArcGIS is configured to use groups and users managed in Microsoft Active Directory and is in an environment with multiple domains in a single forest, it uses the Active Directory Global Catalog to obtain user and group information from all domains. However, Portal for ArcGIS will be unable to collect this information if it binds to a domain controller that does not also serve as a global catalog. For example, it might only return information about users and groups from the domain where Portal for ArcGIS resides.
If your Active Directory deployment includes multiple domain controllers, but not all domain controllers are configured as global catalog servers, you'll need to manually specify the domain controller or controllers used by Portal for ArcGIS. To do so, follow the steps below.
- Open the ArcGIS Portal Directory and log in as a member with administrative privileges. The URL to the ArcGIS Portal Directory is formatted https://webadaptorhost.domain.com/webadaptorname/portaladmin.
- Click security > config > Update Identity Store.
- On the Update Identity Store page, copy and paste the following text into the User store configuration dialog box:
{ "type": "WINDOWS", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "mydomain\\winaccount", "userFullnameAttribute": "cn", "userEmailAttribute": "mail", "caseSensitive": "false", "domainControllerAddress": "[IP Address], [alternate IP Address]", "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]" } }
Optionally, more than one IP address can be listed for the domainControllerAddress property. If multiple IP addresses are listed, they should be ordered based on priority. Your ArcGIS Enterprise portal will attempt to communicate with the first one listed and will fall back to subsequent ones only if the first one becomes unavailable.
If your Active Directory environment includes multiple domains within a forest and you want to include IP addresses for the domain controllers assigned to each domain, use the domainControllerMapping parameter in both the User store configuration and Group store configuration dialog boxes. Multiple IP addresses can be listed for each domain if desired.
- If the portal will leverage existing enterprise groups, copy and paste the following text into the Group store configuration dialog box:
{ "type": "WINDOWS", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "mydomain\\winaccount", "domainControllerAddress": "[IP Address], [alternate IP Address]", "domainControllerMapping": "domain_A.example.com=[IP address], [alternate IP address]; domain_B.example.com=[IP address], [alternate IP address]" } }
- Update the userPassword and user properties (required), and the domainControllerAddress and domainControllerMapping properties (optional) with the appropriate values.
- Click Update Configuration to save your configuration.