Changed federation from internal to WebAdaptor url, now have permissions problems

11-13-2019 11:32 AM
New Contributor III

A recent bug fix from my team resulted in our hosting server being refederated using the WA url instead of the internal URL that it was previously using.  Now all our hosted features layers give us permission problems. 

First, an admin user can still load these hosted layers. Other uses receive the following error, even if the layer is shared to everyone: 

error: {code: 403, subcode: 2,…}
   code: 403
   details: []
   message: "User does not have permissions to access 'hosted/some_layer.mapserver'."
   subcode: 2

I'm assuming the token still contains the other URL so that the token is invalid on the layer regardless of the layers share status.  Looking for ways to move forward with the current setup,  but considering undoing the federation and returning to the start state.  Just not sure if it'll fix anything. 

ArcGIS Enterprise 10.6.1

0 Kudos
2 Replies
New Contributor III

Update: it appears that there are duplicate items for each of the hosted feature services.The original owned by the correct owner, and a new item with the same name owned by the admin user. I tried deleting one of these second items and the original is now corrupt,  so I assume they're sharing a back end.  What are my options here?

I assume that re-federating pulled all the services in again but didn't match the owner (as that's maintained by the portal), so everything went haywire. 

0 Kudos
Occasional Contributor

What I've learned so far (the hard way) when migrating portal from one version to another to different machine names: NEVER EVER do unfederate and federate the server!!!! This is really evil and you will have to fix all your portal items through the internal postgresql database.

If you read the documentation carefully (what I did not) Federate an ArcGIS Server site with your portal—Portal for ArcGIS (10.8) | Documentation for ArcGIS ... you will find this one here:

Services that exist on the ArcGIS Server site at the time of federation are automatically added to the portal as items. These items are owned by the portal administrator who performs federation. After federation, the portal administrator can reassign ownership of these items to existing portal members as desired. Any subsequent items you publish to the federated server are automatically added as items on the portal and are owned by the user who publishes them.

This is the evil part of the unfederate / federate approach.

0 Kudos