Community

Print secure services using Web Tier Authentication

13393
18
06-27-2016 06:53 AM
RavinHasseea1
by
New Contributor III
‎06-27-2016 06:53 AM

Hi I am using Portal 10.4 and have configured the portal printing tools to an ArcGIS 10.3.1 printing service. We have IWA set up for both the portal and ArcGIS Server. We have also set up trusted servers in portal.

When using the default print widget in portal, I am getting the error message "Error, try again"

In ArcGIS Server log, I get

"Error executing tool. Export Web Map Task Job ID: j150b832f961f4960833c46084e3ba118 : Layer "My Map": Unable to connect to map server at https://servername/arcgis/rest/services/Basemaps/OSBasemaps/MapServer. Failed to execute (Export Web Map). Failed to execute (Export Web Map Task)."

I have also tried running the print service from its rest end point. It comes up with the same error message.

We have tried the default ArcGIS Server printing services and also a custom service with embedded credentials (Printing maps that contain secured services—Documentation (10.3 and 10.3.1) | ArcGIS for Server ). All the services are currently accessible to everyone.

Any suggestions ?

Tags (1)
18 Replies
CésarPires
by
New Contributor III
‎07-25-2016 04:58 AM

I have  the same problem.

My services are running on ArcGIS for Server 10.4.1 and i get the same error when trying to print secures services with IWA.

ArcGIS for Server is running as a domain user and custom print services is configured with the same user and password.

0 Kudos
MichaelRobb
by
Occasional Contributor III
‎07-25-2016 01:29 PM

Hi Cesar,

It should all work.  I have a document with explicit details, I cant post it, but can provide snippets and direction.

Summary:

Create a custom Geoprocessing Print service which holds Preconfigured secure connections which are set using a User name that has access to ALL Secure Services to allow secure services print through using Windows Authentication / Web-Tier

In IIS - WIndows Authentication enabled on the ArcGIS Server Web Adaptor. 

Have Web-Tier authentication enabled on ArcGIS Server (using manager or admin)

  1. Create a new Toolbox under My Toolboxes using ArcCatalog
  2. Copy Export Web Map GP Tool from System Toolbox >> Server Tools >> Printing TO the newly created toolbox.
  3. Create new AGS Connection

This connection will be a User that will have access to ALL ArcGIS Server Services that are locked.

This connection MUST be a USER type connection with ArcGIS Server

1.png

1.png

4.     Name the AGS Connection Appropriately

5.     Right t click on new GP >> Edit

6.     Add the newly created AGS Connection File

2.png

7.     Validate the URL and AGS Connection

3.png

8.     Repeat steps for multiple servers (in this case, I do only 1 as we have traffic go through a NLB)

9.     Open an ArcMap Session and Add the custom toolbox

10.  Add some data to the mapdoc (which the server has visibility to - registered)

11. Double click the custom Print GP

4.png

12. Double click the custom Print GP

13.  In the results dialog, right click on the successful print and share as >> Geoprocessing service

14. Publish the service

15. name the service

16. Configure the custom GP Service in the service editor

     (e.g. Asynchronous execution mode) custom templates etc...

17.Analyze

18. Publish

1.png

When you create the custom Geoprocessor, the connection used MUST be a USER type connection with ArcGIS Server, not Publisher or Admin.  Please ensure this.

PaulDavidson1
by
Occasional Contributor III
‎07-25-2016 02:50 PM

Michael:  I suspect there are going to be many of us thanking you for this posting!

0 Kudos
CésarPires
by
New Contributor III
‎07-26-2016 04:50 AM

Problem solved

The loopback security check of windows server 2008 R2 was bloking windows authetication of the print service.

MichaelRobb
by
Occasional Contributor III
‎07-26-2016 07:40 AM

Glad you figured it out.  That is a five year old item for sure though.  .NET 3.5SP1.   Loopback only applies to the machine server the request came from though. You should have had no issues from an external machine. ??

0 Kudos
CésarPires
by
New Contributor III
‎07-26-2016 07:58 AM

Yes. Everything was working fine from a external machine except  the print service.

Print service was blocked wen  trying to authenticate in the same machine that was serving him.

0 Kudos
OliviaDeSimone
by
Occasional Contributor
‎10-13-2017 08:50 AM

Thank you for these helpful steps.  I am not quite able to get this to work and have a couple questions:

  1. When you say, "When you create the custom Geoprocessor, the connection used MUST be a USER type connection with ArcGIS Server, not Publisher or Admin," you don't mean when you are actually publishing the service, right?  It isn't possible to publish a service on a User connection.  Do you mean that it is important to make sure that you edit the tool to include the user connection URL in the "Configure Secure GIS Server Connections" window?
  2. Does anyone know is this workflow still works at ArcGIS Server 10.5?
0 Kudos
Rebecca_Fong
by
New Contributor
‎07-31-2017 05:33 AM

I tried this process and my print services, just sits there. No error message. Is anyone having the same issues

0 Kudos
AndresCastillo
by MVP Regular Contributor
MVP Regular Contributor
‎08-03-2020 02:58 PM
error executing tool. Export Web Map Task : Layer "SpatialRecord_UT_Pro_FS - County Manifest": Failed to create layer from service at https://arcgisserver.domain.com/portal/sharing/servers/itemid/rest/services/FSName/FeatureServer/1. ERROR: code:403, You do not have permissions to access this resource or perform this operation. Access to this resource is forbidden, regardless of authorization. Failed to execute (Export Web Map). Failed to execute (Export Web Map Task).Utilities/PrintingTools.GPServer
 
 
 

Appears as if ArcGIS Server Print tools does not have access to external secured feature service.

https://community.esri.com/thread/87790

https://community.esri.com/thread/179089

https://community.esri.com/videos/3051

 

Our solution:

We added an external secured service to our portal as an item, and save credentials with the item.

We have two ways it works:

1.

share the external secured service portal item with everyone within the network domain.

This will allow the ArcGIS Server account (a domain user within the network) access to get the credentials from the portal item, so the credentials can be read by that ArcGIS Server's print service.

The downside of this is that now everyone within the network domain of your company can print this external secured service portal item.

2.

Share the external secured service portal item with specific groups within the portal.

Add the ArcGIS Server account (a domain user within the network) as a portal member.

Add the Server account portal user as a member of a group you shared the external secured service portal item with.

This will allow the ArcGIS Server account (a domain user within the network) access to get the credentials from the portal item, so the credentials can be read by that ArcGIS Server's print service.

The downside of doing this is that it takes up a portal user type license, which costs money.

A possible third way this will work is following Esri docs:

Print maps that contain secured services—Documentation (10.5) | ArcGIS Enterprise 

0 Kudos