Portal for ArcGIS locks the main admin account?!?

JoëlHempenius3 · ‎10-28-2024

A few months back, I did upgrade my Portal to 11.3. We have an account policy that all build-in users should change their password every 90 days, which also applies to the main administrative account.

Now after 90 days I get my main admin account frequently locked due to bad login credentials. The Portal for ArcGIS logs tell me this happens every 15 minutes and it tries it 5 times, so I get 20 bad log in attempts every hour.

Normally this is user error and you still have some automated process with the old credentials. I checked everything, but couldn't find it (where using Azure Keyvault as our centralized credential storage and all scripts should get it there, but this doesn't rule out there is still some script or process out there.

The installation of ArcGIS Enterprise is split over 4 machines, 1 for Portal, 1 for ArcGIS Server, 1 for the datastore and 1 for the Webadaptors and other custom webapps. I did some extensive research in my IIS logs and could not find the bad logins from the IIS request, this raised the question whether these bad logins where coming from outside ArcGIS Enterprise.

To get a definitive answer to this: I blocked port 7443 and 7080 on the Portal for ArcGIS Server Windows Firewall. And still I would get these bad sign ins, so it looks like the bad sign ins are coming from the server where Portal is installed. There is no other software running on this machine, or scheduled tasks or scripts. So I assume it is the portal process itself which is doing the bad sign ins. Could this really be?

Has somebody the same experience? Any solutions?

-Joël Hempenius.

Languages: JavaScript, Python and Dunglish

MarcusAndersson · ‎11-06-2024

We have something similar going on so following this with interest.
Have you looked at the AGOL-connected account under Settings --> ArcGIS online in Portal? This seems to generate some errors in our case but it shouldn't be connected to the issues you're seeing I guess.

TimoT · ‎11-06-2024

Hi @JoëlHempenius3

I suggest running further tests to isolate the root cause of sign in.

Try turning off all other machines (or ArcGIS Enterprise services if single-machine deployment) except the Portal and see if the login attempts stop. If they do, gradually re-enable to pinpoint the source. Don't forget about ArcGIS Monitor if you have it deployed - ensure your connection credentials are up to date.
Do you have any items with embedded PSA credentials?

JoëlHempenius3 · ‎11-06-2024

I more or less achieved the same thing with my firewall rules: I blocked incoming ports 7080 and 7443 on the Windows firewall, which disabled all incoming communication from the webadapter machine, the arcgis server and the datastore. And because the webadapter was blocked any item with embedded credentials was also blocked. I always use a very limited account when I do the embedded credentials, because things like this blocking a limited account is not an issue, but saving your PSA credentials elsewhere in a system which isn't designed to store credentials is a security risk and must be avoided. The only location where PSA credentials can be saved are our password manager and Azure Keyvault.

-Joël Hempenius.

Languages: JavaScript, Python and Dunglish