python API fails with IWA for federated ArcGIS servers

930
4
08-29-2018 08:35 PM
DamianSlee2
New Contributor II

Hi,

Have found that when using python API with IWA enabled Portal,  the python API works fine with Portal operations, but fails on Server requests due to an issue with generate_token().    a POST request is being sent with &token=None, which is rejected.

REQUEST: https://myportalserver/portal/sharing/rest/generateToken, {'serverURL': 'https://myfederatedarcgiserver/arcgis/admin', 'token': None, 'expiration': '1440', 'f': 'json', 'request': 'getToken', 'referer': 'http'}

RESPONSE: https://myportalserver/portal/sharing/rest/generateToken, {"error":{"code":400,"message":"Unable to generate token.","details":["Unable to generate token for this server"]}}

eg

gis = GIS("https://myportalserver/portal")

print("Logged in as: " + gis.properties.user.username)

#this fails

gis_servers = gis.admin.servers.list()

python api 1.5.0 

Python 3.6.4 with arcgis pip installed from pypi.org

Portal 10.5.1

ArcGIS server 10.5.1 federated with portal

IIS web adapter /portal   (Windows authentication enabled, anonymous disabled)

IIS web adapter /arcgis    (Anonymous enabled)

thanks,

Damian

Tags (2)
0 Kudos
4 Replies
simoxu
by MVP Regular Contributor
MVP Regular Contributor

According to my understanding, If you are using IWA authentication, you will be using so called Web-tier authentication, and this is an alternative authentication method to token-based ArcGIS Server authentication.

Simply put, in your case there are no token involved in authentication. That's why you can connect to your GIS but you can't get token using the following property.

gis._con.token

Anyway, I am no expert on Portal security, please read the following document --- I could be very wrong.

Configuring ArcGIS Server's authentication tier—ArcGIS Server Administration (Windows) | ArcGIS Ente... 

The reason you can't list the federated servers could be that the server settings don't permit admin operations through web adapter, you can talk to the administrator to confirm this. You should be able to work on the content though.

0 Kudos
DamianSlee2
New Contributor II

the use case is Valid.

the Portal and Server installation is valid.  WebAdapter install is valid and allowing admin requests.

the issue is that a "None" token argument is being sent to the portal REST API /generateToken.   It is a invalid request that does not conform to the Portal /generateToken REST API specification.   The error response is correct, it makes no sense to send a token arguement to generateToken, let alone "None".

i have test it in fiddler, removing &token=None,  and the request then succeeds.

0 Kudos
simoxu
by MVP Regular Contributor
MVP Regular Contributor

I agree token should not be used in your case which is IWA authentication.

If Python API generated that REST request, then it seems a small bug of the API itself. I'd suggest you contact ESRI support to confirm it.

0 Kudos
DamianSlee2
New Contributor II

BUG-000116560 Python API bug was created for this issue.

0 Kudos