Hello,
For some time now, I have been unable to login using REST API nor I am able to generate token. It used to be working but now it is not working. No configuration has been changed. I used the following URL pattern for generating the token but I get response as invalid username or password:
https://webadaptor.domain.com/arcgis/sharing/rest/generateToken
Response:
{"error": { "code": 400, "message": "Unable to generate token.", "details": [ "Invalid username or password.", "Invalid username or password." ] }}
The only user account that works with the above URL and REST API is the default admin account, any other account results inInvalid username or password.I can login to the portal fine with the browser https://webadaptor.domain.com/arcgis and it allows me to login using enterprise login. Thanks. Nirmal
Solved! Go to Solution.
I'm wondering if there is a service account in play somewhere that may be locked. You said you're using SAML but then you also said the answer to question #4 originally was "shows Windows". Typically, it would show Windows in the Portal Admin's security/config section if you were using IWA. If your Portal is in fact configured to use Windows as its user and/or groups store, then you would likely be using a service account to authenticate with active directory in order to perform user and group lookups. That account may be locked. Other than that, I recommend checking with Esri support on anything further.
A few questions...
Here are the answers:
1) I am running ArcGIS 10.7.1 (Portal, Server, Datastore, Webadaptor)
2) The ArcGIS Server is federated to use Portal.
3) SAML Integration
4) https://webadaptor.domain.com/arcgis/portaladmin/security/config shows Windows
5) I am able to login to the ArcGIS Server Admin (https://webadaptor.domain.com/server/manager/ ) using my enterprise account which is non-PSA account.
Thank you.
Nirmal
Thank you. For question #4, I'm talking specifically about the configuration within IIS. How are both of your web adaptors (Portal and Server) configured in terms of anonymous and Windows authentication?
Thank you for explaining what you asked and I did not understand.
I checked on the IIS and Authentication. I see that for Portal only Anonymous Authentication is enabled, and all others are disabled. For Server, both Anonymous and Windows Authentication is enabled. For Windows Authentication, the response type is "HTTP 401 Challenge".
Nirmal
Can you tell me the name of your web adaptors? Is the web adaptor for Portal named 'arcgis'? If so, what is the name of your ArcGIS Server web adaptor? I'm just wanting to understand the URL scheme you've mentioned earlier in terms of what is working versus not.
For Portal:
https://webadaptor.domain.com/arcgis/
For GIS Server:
https://webadaptor.domain.com/server/
Thanks.
When attempting to generate a token using an enterprise account (which I believe you said does not work currently), are you specifying the domain in conjunction with the username? For example, username@domain.net.
Yes, I am specifying the domain like your example. It was working in the past, but suddenly it stopped working. Nothing changed in configuration/settings. I compared config/settings with another server/portal (where I can successfully generate token) and everything are identical.
I'm wondering if there is a service account in play somewhere that may be locked. You said you're using SAML but then you also said the answer to question #4 originally was "shows Windows". Typically, it would show Windows in the Portal Admin's security/config section if you were using IWA. If your Portal is in fact configured to use Windows as its user and/or groups store, then you would likely be using a service account to authenticate with active directory in order to perform user and group lookups. That account may be locked. Other than that, I recommend checking with Esri support on anything further.