Does a certified SSL certificate need to be assigned to both IIS and Portal if the Web Adaptor and Portal are on the same machine?

2169
3
03-15-2016 03:25 PM
DennisGeasan
Occasional Contributor II

On one machine I have AGS installed and the Web Adaptor running under IIS.  On a separate machine I have Web Adaptor/IIS and Portal installed.  On both machines a domain certified SSL certificate is assigned to the "Default Site" of IIS.   The Web Adaptor virtual folder resides under the "Default Site". The AGS install has been assigned as a federated server and the database host for the Portal machine.

Is it necessary in this setup to also import the domain certified certificates to AGS and Portal?

There are plenty of warnings in the install docs about the importance of assigning the certified certificates to AGS and Portal, but I'm just wondering if it matters when the Web Adaptor and server are on the same machine.

When I connect to the portal or AGS, the IE and Chrome browsers see the URLs as trusted locations.  And I am able to publish feature layers to the portal and use those layers in portal web maps.

BTW:  I had to use Microsoft Edge to enter this question.  "Ask a Question" doesn't work with Chrome or Firefox.

0 Kudos
3 Replies
JayantaPoddar
MVP Esteemed Contributor

Once configured, you could access the server and portal through web adaptors (which are dependent on IIS in your case). Since domain-certified SSL has been configured with IIS in both the boxes containing the web-adaptors for Server and Portal, there is no need for any more activity regarding SSL assignment.

Here SSL is configured with IIS only.



Think Location
0 Kudos
DennisGeasan
Occasional Contributor II

Hello Jayanta,

Would this also be true if on a standalone machine a separate Web Adaptor is installed for ArcGIS Server and Portal?  In IIS there would be two virtual directories, one I would name 'server' that points to ArcGIS Server and a second named "Portal" pointing to ArcGIS Portal.  The trusted certificate would be assigned to the "Default Site" in IIS.  Thanks.  DG

0 Kudos
PaulDavidson1
Regular Contributor

When you install your WA for the server and portal you'll tell it to use SSL.  It should then find your cert and set things up correctly:

About ArcGIS Web Adaptor—Installation Guides (10.4) | ArcGIS for Server

FYI....  I've done a portal setup with hosting server and datastore by hand and by using the Esri Chef Cookbook.

Originally I was convinced we'd need individual machines for each component.

I've since been convinced that an all in one box is the way to go.  At least for now. We're in a very nice Netapp/VM Shpere environment so we can easily add resources on the fly if we find we're under powered.  We might someday have to separate out the DataStore to its own VM but so far not.

Once I started using Chef, I haven't looked back.  However, I would say that a full install by hand is a good learning process so you understand the pieces and how they fit together.  But Chef is the way to go as far as I'm concerned.

Note that I had to modify the SSL setting in IIS for the Portal site in order to allow clients to log into Portal.  They were getting 403 Errors until I did the following:

Originally the SSL settings on Portal WA (in IIS) was set to Accept Client certificates.

I had to change it to Ignore Client certificates.

This was probably because this was a Development Portal and the other two users were developers who had self-signed certificates that they would pass back to Portal that Portal would then reject.  If they installed the domain cert, then all was but we don't want to have to push the domain cert to all of our users.  "Ignore client certs" just means the server will pass the cert to the client and the client will then verify it's validity and they'll handshake and makeup and go on their merry way.

At least, that's been my experience.

I did just notice that the SSL setting of my server WA (and the default site) still has "accept client certs" selected.  But our users are coming in via Portal so not sure that setting matters.

Good luck

0 Kudos