Unauthorized - FME Web Connection Failure

260
6
Jump to solution
12-10-2020 09:11 AM
AdamRepsher
Regular Contributor

Hi Again @BruceHarold,

I am following your blog post Creating an FME Web Connection for your Enterprise Portal and am running into at least one issue:

LoginError.PNG

...and in the Translation Log, I find this:

Request to update access token failed. HTTP Error: HTTP/1.1 401 Unauthorized - https://myenterpriseportal.org/portal/sharing/rest/oauth2/token 

After I enter in my credentials, I get this window...

Permission.PNG

I have used my login (admin), the login that I want to use (a resource account that is used for the Enterprise admin functionality).  I have tried to enter usernames in 3 different ways - and the above window correctly displays the user name as seen in Portal.

My Portal setup just uses our Active Directory for authentication and I do have the Single Sign-On experience working for our users.  I do not allow anonymous user access and do not allow people to create built-in accounts.  I only assign user seats through Active Directory.

My full setup...:

  • ArcGIS Enterprise (Portal, Server, GeoEvent Server) v10.8.1
  • ArcGIS Pro v2.6.3
  • Data Interoperability v2.6.2
  • FME 2020.0.1.0 (20200407 - Build 20218 - WIN64)

Any thoughts on where to start looking for the issue?

Thanks,
--Adam

Reply
0 Kudos
1 Solution

Accepted Solutions
AdamRepsher
Regular Contributor

After spending a few days with Customer Service, we have found that there is a bug (BUG-000136812) in my specific situation.  I will explain:

My Portal WebAdaptor within IIS is set up with IWA (Windows Authentication) enabled (using Active Directory for accounts and login) AND Anonymous Authentication DISABLED to utilize Single Sign-On.  My customers are not prompted for login.  They are authenticated with the credentials they used to log into their machine/domain on our intranet.

Workarounds:

  1. Enabling Anonymous Authentication on the Portal WebAdaptor.  This is not a solution for me as I want my customers to have the Single Sign-On experience.
  2. Not use the Tools - FME Options - Web Connections for the Portal Connection.  Alternatively:
    1. Manually set up the connection in a Writer (or Reader), using Kerbos Authentication.  (I have not tried this.)
    2. Manually set up the connection in a Writer (or Reader), using NTLM Authentication.  This has worked for me.

The BUG has already been given a status of Not in Current Production Plan since it is an, "Authentication limitation from a third party component."

View solution in original post

Reply
0 Kudos
6 Replies
BruceHarold
Esri Regular Contributor

Adam if you're using FME the best way to get support is via Safe's support channel.

https://community.safe.com/s/support

Chat is very effective as a first step.

Reply
0 Kudos
AdamRepsher
Regular Contributor

i'm using FME via Pro....

Same thing?

Reply
0 Kudos
BruceHarold
Esri Regular Contributor

The Esri product is Data Interoperability extension which lets you make Spatial ETL tools in Pro, the FME product lives outside Pro.  The support channels are separate at the customer level.

Reply
0 Kudos
AdamRepsher
Regular Contributor

I am making a Spatial ETL tool in Pro with the Data Interoperability extension.  Sorry for my confusion.  Do I still go to their support page?

Reply
0 Kudos
BruceHarold
Esri Regular Contributor

No that's us!  If you create a support call with Esri it will be officially handled.

AdamRepsher
Regular Contributor

After spending a few days with Customer Service, we have found that there is a bug (BUG-000136812) in my specific situation.  I will explain:

My Portal WebAdaptor within IIS is set up with IWA (Windows Authentication) enabled (using Active Directory for accounts and login) AND Anonymous Authentication DISABLED to utilize Single Sign-On.  My customers are not prompted for login.  They are authenticated with the credentials they used to log into their machine/domain on our intranet.

Workarounds:

  1. Enabling Anonymous Authentication on the Portal WebAdaptor.  This is not a solution for me as I want my customers to have the Single Sign-On experience.
  2. Not use the Tools - FME Options - Web Connections for the Portal Connection.  Alternatively:
    1. Manually set up the connection in a Writer (or Reader), using Kerbos Authentication.  (I have not tried this.)
    2. Manually set up the connection in a Writer (or Reader), using NTLM Authentication.  This has worked for me.

The BUG has already been given a status of Not in Current Production Plan since it is an, "Authentication limitation from a third party component."

View solution in original post

Reply
0 Kudos