ArcGIS Enterprise HA Portal configured to use IWA having issues loading Organization/Settings

1146
6
Jump to solution
08-01-2022 09:54 AM
Labels (2)
BanchanaPandey
New Contributor III

We have ArcGIS Enterprise Portal 10.9.1 with HA environment configured with IWA.

I have also an esri case open for this issue. We have configured the app pool for the portal web adaptors according to the guidelines here How To: Configure Integrated Windows Authentication with a highly-available portal (esri.com)

We only have one external load balancer fronting the two web adaptor machines and the admin access through web adaptors are enabled true for that reason. The portals and federated arcgis servers have instances in the two web adaptor machines.

Everything seems to be working fine, except for when we disable the anonymous access to the portal web adaptor instances in the web adaptor machines, the Settings page under the Organization/Settings will not load at all. It seems like it is not able to communicate to the federated servers when anonymous is disabled.

Other tabs like Members, Licenses, Status, they load without any issue.

We have provided fiddler saz file, screen shot of error and logs to esri support already.

Thanks!

 

0 Kudos
2 Solutions

Accepted Solutions
JonathanQuinn
Esri Notable Contributor

What does the HTTP traffic look like when you load the Organization tab? Anything outstanding in the JSON responses?

Another thing to validate is whether all internal URLs are not going through a network path that would receive a 401 challenge. For example, this would be the privatePortalURL property or the Admin URL used by federated servers. These URLs can't be configured to return a 401 challenge. If your WebContextURL in Portal is set to the same property as the privatePortalURL, or the services URL used in federation is using IWA as well and matches the admin URL, you'll run into problems. You'll have to use separate URLs for internal communication. 

https://enterprise.arcgis.com/en/portal/latest/administer/windows/ha-scenarios-web-gis.htm

View solution in original post

BanchanaPandey
New Contributor III

May be this will help someone- we have finally resolved our issue by setting up another VIP to handle the backend (administrative, machine to machine) communication. After that, everything seemed to be working as normal. 

 

 

View solution in original post

0 Kudos
6 Replies
JonathanQuinn
Esri Notable Contributor

What does the HTTP traffic look like when you load the Organization tab? Anything outstanding in the JSON responses?

Another thing to validate is whether all internal URLs are not going through a network path that would receive a 401 challenge. For example, this would be the privatePortalURL property or the Admin URL used by federated servers. These URLs can't be configured to return a 401 challenge. If your WebContextURL in Portal is set to the same property as the privatePortalURL, or the services URL used in federation is using IWA as well and matches the admin URL, you'll run into problems. You'll have to use separate URLs for internal communication. 

https://enterprise.arcgis.com/en/portal/latest/administer/windows/ha-scenarios-web-gis.htm

BanchanaPandey
New Contributor III

Thanks Jonathan! I will send you the details privately in the message.

0 Kudos
BanchanaPandey
New Contributor III

May be this will help someone- we have finally resolved our issue by setting up another VIP to handle the backend (administrative, machine to machine) communication. After that, everything seemed to be working as normal. 

 

 

0 Kudos
LachlanWainwright
New Contributor II

Hi @JonathanQuinn 

We are getting the same issue with a non-ha 10.9.1 environment on AZURE that we just built with powershell dsc (no errors returned with the install, all prefect, love DSC!!).

3-machines: m1 Portal & portal/server wa's; m2 Server and m3 datastore.

Instead of a LB we are using a DNS entry for prettyname.com and both the webcontexturl and privateportalurl use this (automatically setup by dsc as we set the externalloadbalancer tag to prettname.com for both portal and server blocks.

When we turn on IWA via IIS the settings the same as above happens, cannot get to settings and when we try to connect to AGS manager we are prompted for siteadmin uname/pw.

We have a dev setup in the same way but was done manually and the privalportalurl is not set.  Switching on IWA works perfectly. I also noticed that federation uses 7443 on this setup whereas the DSC has the prettyname.com.

Any ideas on what we can check/do?

Thanks

Lachlan W

0 Kudos
LachlanWainwright
New Contributor II

Hi

I also posted this on the poweshell dsc github and Cameron  gave us instructions on what to do in our case.

2 simple steps, un-federate the AGS site and add the InternalLoadBalancer setting to the config file and run.

We now have a access to Organization, Settings

Thanks DSC crew and Jonathan

BillFox
MVP Frequent Contributor

@JonathanQuinn, does this note no longer apply after 10.7? https://enterprise.arcgis.com/en/web-adaptor/10.7/install/iis/use-integrated-windows-authentication-...

Note:

If you'll be adding an ArcGIS Server site to your portal and want to use web-tier authentication with the site, you'll need to disable web-tier authentication (basic or digest) and enable anonymous access on the ArcGIS Web Adaptor configured with your site before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federate an ArcGIS Server site with your portal.

0 Kudos