Invalid token when opening content in Portal

LarissaDrysdale · ‎08-21-2025

After the update to ArcGIS Enterprise 11.5 we have problems with invalid tokens. When loading a webmap no data is shown and in the browser DevTools network tab we see an endless stream of requests.

We hoped that this would be solved with the 11.5 Web Applications Patch. We installed is as soon at it came out. It seemed to solve the issue for a week or two.
But since august 19th suddenly similar problems came back. We did not change anything in the configuration. But this time we did not receive chunk errors. But we have an endless stream of requests (a repetition of generatetoken request followed by a featureserver or mapserver request) the mapserver request shows the error 'Invalid Token'.
And we also discovered that we can not login to server manager (/arcgis/manager) via the webadaptor, only direct via the port number :6443/arcgis/manager.

This is what we analyzed about the requests generated:

The token generated by portal/sharing/rest/generatetoken is used to go to an arcgis/rest/server service, f.e. arcgis/rest/server/FeatureServer
The respons of the FeatureServer request is that the just generated token is invalid.
Do these two endpoints use the same sharedKey to eigther generate the token or check if it is valid?
If so, where can I find the sharedkey each of the endpoints is using? Although it seems strange that this key is changed overnight
If not what could then be the problem?

What we already tried:

- Turning off SNI, which binds :443 to 0.0.0.0 instead of the domain name. --> no change, turned it back on again
- Tried again the prelimanary fix for the 11.5 upgrade cache issues (https://community.esri.com/t5/arcgis-enterprise-portal-questions/content-failing-to-load-completely/... --> no change, turned it back again
- Reinstalled the Portal for ArcGIS 11.5 Web Applications Patch + cleared browser caches
- Updating the sharedkey of portal and re-registered the webadaptors.
- Manually, with postman, performed the generatetoken request and the request to the arcgis/rest/server/FeatureServer endpoint with the received token --> also returned the Invalid token error
- Reinstall Portal.

Does anyone recognise this behaviour and more important; did anyone find a solution?

valenj88

Did you ever start a ticket with this issue? Not using tokens on my end, but authentication seems to have gone haywire.

It seems to be something wrong with the AD/LDAP/Web adapter/Portal authentication stack. We haven't changed any settings on our end but are being prompted to login because portal cannot seem to authenticate through the machine's AD like it did on 11.3. And as admin, I'm getting prompted whenever I try to view the administrator directory, Server manager, etc.

wf_sbakker

Hi, I'll answer instead of @LarissaDrysdale because she has a few days off. Yes, we have reached out to ESRI support and have a meeting scheduled for next week to further investigate (and hopefully solve) the issue.

We are able to log in to Portal without any problems. However, when attempting to access a service on the federated server, the authentication fails somehow. The system prompts for a new token, which is then rejected as invalid. We also found that when we break federation, we cannot refederate.

CarstenHogertz

Hello everyone, Hello @wf_sbakker @LarissaDrysdale we have a similar problem.
Was ESRI Support able to help you?

LarissaDrysdale

Hi @CarstenHogertz ,

Saddly ESRI support could not help us. We went over every configuration part. Aim was to get the machine names in portaladmin/machines and admin/machines to the FQDN name of the server. We managed to get there but it did not resolve our problem.

We had to go back to a backup from a moment before the issue started.