Portal for ArcGIS locks the main admin account?!?

JoëlHempenius3 · ‎10-28-2024

A few months back, I did upgrade my Portal to 11.3. We have an account policy that all build-in users should change their password every 90 days, which also applies to the main administrative account.

Now after 90 days I get my main admin account frequently locked due to bad login credentials. The Portal for ArcGIS logs tell me this happens every 15 minutes and it tries it 5 times, so I get 20 bad log in attempts every hour.

Normally this is user error and you still have some automated process with the old credentials. I checked everything, but couldn't find it (where using Azure Keyvault as our centralized credential storage and all scripts should get it there, but this doesn't rule out there is still some script or process out there.

The installation of ArcGIS Enterprise is split over 4 machines, 1 for Portal, 1 for ArcGIS Server, 1 for the datastore and 1 for the Webadaptors and other custom webapps. I did some extensive research in my IIS logs and could not find the bad logins from the IIS request, this raised the question whether these bad logins where coming from outside ArcGIS Enterprise.

To get a definitive answer to this: I blocked port 7443 and 7080 on the Portal for ArcGIS Server Windows Firewall. And still I would get these bad sign ins, so it looks like the bad sign ins are coming from the server where Portal is installed. There is no other software running on this machine, or scheduled tasks or scripts. So I assume it is the portal process itself which is doing the bad sign ins. Could this really be?

Has somebody the same experience? Any solutions?

-Joël Hempenius.

Languages: JavaScript, Python and Dunglish

MarcusAndersson · ‎11-06-2024

We have something similar going on so following this with interest.
Have you looked at the AGOL-connected account under Settings --> ArcGIS online in Portal? This seems to generate some errors in our case but it shouldn't be connected to the issues you're seeing I guess.

TimoT · ‎11-06-2024

Hi @JoëlHempenius3

I suggest running further tests to isolate the root cause of sign in.

Try turning off all other machines (or ArcGIS Enterprise services if single-machine deployment) except the Portal and see if the login attempts stop. If they do, gradually re-enable to pinpoint the source. Don't forget about ArcGIS Monitor if you have it deployed - ensure your connection credentials are up to date.
Do you have any items with embedded PSA credentials?

JoëlHempenius3 · ‎11-06-2024

I more or less achieved the same thing with my firewall rules: I blocked incoming ports 7080 and 7443 on the Windows firewall, which disabled all incoming communication from the webadapter machine, the arcgis server and the datastore. And because the webadapter was blocked any item with embedded credentials was also blocked. I always use a very limited account when I do the embedded credentials, because things like this blocking a limited account is not an issue, but saving your PSA credentials elsewhere in a system which isn't designed to store credentials is a security risk and must be avoided. The only location where PSA credentials can be saved are our password manager and Azure Keyvault.

-Joël Hempenius.

Languages: JavaScript, Python and Dunglish

GisDevelop · ‎02-02-2025

Depending on your enterprise setup, if you have applications like Web AppBuilder running on a server independent of your portal server, you should check the layers added during the application setup to ensure they are using secure connections.

For example, I encountered this issue when hosting a Web AppBuilder application under IIS on a different server while using layers configured in the portal. You may also check for similar configurations to troubleshoot the problem.

LHo · ‎04-14-2025

Hi Joël

I had an issue where a newly created builtin admin account kept having its credentials change after a couple of hours. I setup a canary type script to try login every minute and sure enough after 30 odd minutes to 2 hrs it'd start failing.

We checked the index status and the users count was one off. We did also create another tmp admin account to fix the other one, which might explain the number difference, but it also indicated the indexing was not updating. So we ran the reindexer in portaladmin\system\indexer and it fixed our issue.

JoëlHempenius3 · ‎04-14-2025

Thank you for your comment on reindexing. I checked my own index and it was out of sync on the items, but not on the users. Just to be sure I did a full reindex.

Now to the interesting part: when I reviewed the log files I couldn't see the sign ins from the build in user every 15 minutes. But they where not there for some time. I analysed the old log files and the weird login behavior stopped before March 24, which happens to be the same day I also installed the Portal for ArcGIS 11.3 Security 2025 Update 1 patch. So it looks like patching my portal might have solved the issue.
I'll dig again into this issue in the coming days, if something interesting popups up I'll update it here.

Update: little more digging and issue was solved with the ArcGIS Server 11.3 Security 2025 Update 1 Patch. I checked multiple systems which were patched on different days and the logins stopped when I installed the Patch. ArcGIS Server is installed on a different machine. I use ArcGIS Powershell DSC to patch my ArcGIS Enterprise installations fully automated and the Portal will get touched in this process as well.

Right now, I've changed one of the passwords and I will test if this account won't lock again.

-Joël Hempenius.

Languages: JavaScript, Python and Dunglish