Login problem with REST API in Enterprise environment /Portal

2686
10
Jump to solution
02-19-2020 08:02 AM
NirmalOjha
New Contributor II

Hello,

For some time now, I have been unable to login using REST API nor I am able to generate token. It used to be working but now it is not working. No configuration has been changed. I used the following URL pattern for generating the token but I get response as invalid username or password:

https://webadaptor.domain.com/arcgis/sharing/rest/generateToken 

Response:

{"error": {  "code": 400,  "message": "Unable to generate token.",  "details": [   "Invalid username or password.",   "Invalid username or password."  ] }}
The only user account that works with the above URL and REST API is the default admin account, any other account results in 
Invalid username or password.
I can login to the portal fine with the browser https://webadaptor.domain.com/arcgis and it allows me to login using enterprise login. Thanks. Nirmal
1 Solution

Accepted Solutions
WilliamCraft
MVP Regular Contributor

I'm wondering if there is a service account in play somewhere that may be locked.  You said you're using SAML but then you also said the answer to question #4 originally was "shows Windows".  Typically, it would show Windows in the Portal Admin's security/config section if you were using IWA.  If your Portal is in fact configured to use Windows as its user and/or groups store, then you would likely be using a service account to authenticate with active directory in order to perform user and group lookups.  That account may be locked.  Other than that, I recommend checking with Esri support on anything further.  

View solution in original post

10 Replies
WilliamCraft
MVP Regular Contributor

A few questions...

  1. What version of the software are you using?
  2. Is there Federation between ArcGIS Server and Portal?
  3. For enterprise users, are you using SAML integration, LDAP, or IWA?
  4. What are the current authentication settings for your Portal and ArcGIS Server web adaptors?  (anonymous vs Windows)
  5. Are you able to log into ArcGIS Server Admin using non-PSA accounts?
0 Kudos
NirmalOjha
New Contributor II

Here are the answers:

1) I am running ArcGIS 10.7.1 (Portal, Server, Datastore, Webadaptor)

2) The ArcGIS Server is federated to use Portal.

3) SAML Integration

4) https://webadaptor.domain.com/arcgis/portaladmin/security/config  shows Windows

5) I am able to login to the ArcGIS Server Admin (https://webadaptor.domain.com/server/manager/ ) using my enterprise account which is non-PSA account.

Thank you.

Nirmal

0 Kudos
WilliamCraft
MVP Regular Contributor

Thank you.  For question #4, I'm talking specifically about the configuration within IIS.  How are both of your web adaptors (Portal and Server) configured in terms of anonymous and Windows authentication?  

0 Kudos
NirmalOjha
New Contributor II

Thank you for explaining what you asked and I did not understand.

I checked on the IIS and Authentication. I see that for Portal only Anonymous Authentication is enabled, and all others are disabled. For Server, both Anonymous and Windows Authentication is enabled. For Windows Authentication, the response type is "HTTP 401 Challenge".

Nirmal

0 Kudos
WilliamCraft
MVP Regular Contributor

Can you tell me the name of your web adaptors?  Is the web adaptor for Portal named 'arcgis'?  If so, what is the name of your ArcGIS Server web adaptor?  I'm just wanting to understand the URL scheme you've mentioned earlier in terms of what is working versus not.  

0 Kudos
NirmalOjha
New Contributor II
0 Kudos
WilliamCraft
MVP Regular Contributor

When attempting to generate a token using an enterprise account (which I believe you said does not work currently), are you specifying the domain in conjunction with the username?  For example, username@domain.net.  

0 Kudos
NirmalOjha
New Contributor II

Yes, I am specifying the domain like your example. It was working in the past, but suddenly it stopped working. Nothing changed in configuration/settings. I compared config/settings with another server/portal (where I can successfully generate token) and everything are identical.

0 Kudos
WilliamCraft
MVP Regular Contributor

I'm wondering if there is a service account in play somewhere that may be locked.  You said you're using SAML but then you also said the answer to question #4 originally was "shows Windows".  Typically, it would show Windows in the Portal Admin's security/config section if you were using IWA.  If your Portal is in fact configured to use Windows as its user and/or groups store, then you would likely be using a service account to authenticate with active directory in order to perform user and group lookups.  That account may be locked.  Other than that, I recommend checking with Esri support on anything further.