Unauthorized - FME Web Connection Failure

AdamRepsher · ‎12-10-2020

I am following your blog post Creating an FME Web Connection for your Enterprise Portal and am running into at least one issue:

...and in the Translation Log, I find this:

Request to update access token failed. HTTP Error: HTTP/1.1 401 Unauthorized - https://myenterpriseportal.org/portal/sharing/rest/oauth2/token

After I enter in my credentials, I get this window...

I have used my login (admin), the login that I want to use (a resource account that is used for the Enterprise admin functionality). I have tried to enter usernames in 3 different ways - and the above window correctly displays the user name as seen in Portal.

My Portal setup just uses our Active Directory for authentication and I do have the Single Sign-On experience working for our users. I do not allow anonymous user access and do not allow people to create built-in accounts. I only assign user seats through Active Directory.

My full setup...:

ArcGIS Enterprise (Portal, Server, GeoEvent Server) v10.8.1
ArcGIS Pro v2.6.3
Data Interoperability v2.6.2
FME 2020.0.1.0 (20200407 - Build 20218 - WIN64)

Any thoughts on where to start looking for the issue?

Thanks,
--Adam

AdamRepsher · ‎01-25-2021

After spending a few days with Customer Service, we have found that there is a bug (BUG-000136812) in my specific situation. I will explain:

My Portal WebAdaptor within IIS is set up with IWA (Windows Authentication) enabled (using Active Directory for accounts and login) AND Anonymous Authentication DISABLED to utilize Single Sign-On. My customers are not prompted for login. They are authenticated with the credentials they used to log into their machine/domain on our intranet.

Workarounds:

Enabling Anonymous Authentication on the Portal WebAdaptor. This is not a solution for me as I want my customers to have the Single Sign-On experience.
Not use the Tools - FME Options - Web Connections for the Portal Connection. Alternatively:
1. Manually set up the connection in a Writer (or Reader), using Kerbos Authentication. (I have not tried this.)
2. Manually set up the connection in a Writer (or Reader), using NTLM Authentication. This has worked for me.

The BUG has already been given a status of Not in Current Production Plan since it is an, "Authentication limitation from a third party component."

View solution in original post

BruceHarold · ‎12-10-2020

Adam if you're using FME the best way to get support is via Safe's support channel.

https://community.safe.com/s/support

Chat is very effective as a first step.

AdamRepsher · ‎12-10-2020

i'm using FME via Pro....

Same thing?

BruceHarold · ‎12-10-2020

The Esri product is Data Interoperability extension which lets you make Spatial ETL tools in Pro, the FME product lives outside Pro. The support channels are separate at the customer level.

AdamRepsher · ‎12-10-2020

I am making a Spatial ETL tool in Pro with the Data Interoperability extension. Sorry for my confusion. Do I still go to their support page?

BruceHarold · ‎12-10-2020

No that's us! If you create a support call with Esri it will be officially handled.

AdamRepsher · ‎01-25-2021

After spending a few days with Customer Service, we have found that there is a bug (BUG-000136812) in my specific situation. I will explain:

My Portal WebAdaptor within IIS is set up with IWA (Windows Authentication) enabled (using Active Directory for accounts and login) AND Anonymous Authentication DISABLED to utilize Single Sign-On. My customers are not prompted for login. They are authenticated with the credentials they used to log into their machine/domain on our intranet.

Workarounds:

Enabling Anonymous Authentication on the Portal WebAdaptor. This is not a solution for me as I want my customers to have the Single Sign-On experience.
Not use the Tools - FME Options - Web Connections for the Portal Connection. Alternatively:
1. Manually set up the connection in a Writer (or Reader), using Kerbos Authentication. (I have not tried this.)
2. Manually set up the connection in a Writer (or Reader), using NTLM Authentication. This has worked for me.

The BUG has already been given a status of Not in Current Production Plan since it is an, "Authentication limitation from a third party component."

JonEmch · ‎04-01-2021

Moved:

Question has been moved to the ArcGIS Enterprise space.

GISOfficer · ‎12-11-2022

Using NLTM authentication in the writer to create the connection (2b) worked for me. Despite being an admin and signed in via IWA I could not successfully authorise the web service method, likely due to our IIS settings or something in that space. Anyway, thanks Adam for the pointer. I am currently on FME 2022.1.1.0 build 22623 (full application, not interop) and ArcGIS Enterprise 10.8.1.

LachlanWainwright · ‎01-24-2024

Hi

I am experiencing the same issue where IWA is enabled and anon disabled.

A potential workaround is the bypass the Web Adaptor and shoot straight to the portal server via port 7443

e.g. https://FQDN:7443/arcgis

If the portal server Fully Qualified Domain Name is myserver.domain.com, then

https://myserver.domain.com:7443/arcgis

make sure you swap out the default /portal in the fme dialog for the /arcgis

If you are running a HA portal environment then just hope the server you select is always up......

hope this helps 🙂