Portal for ArcGIS Publish Exception - Could not Decrypt Token

7251
8
Jump to solution
12-07-2016 07:20 AM
EricMahaffey1
Occasional Contributor

Has anyone had to troubleshoot an error when publishing to Portal for ArcGIS that reads: Publish exception 'Could not decrypt token.  Token may not be valid'

I see an entry on both Portal and ArcGIS Server logs when trying to publish a feature service within Portal

Any advice would be much appreciated.

0 Kudos
1 Solution

Accepted Solutions
EricMahaffey1
Occasional Contributor

I ended up figuring out the problem.  It's a long story so I'll try to explain all that I found and resolved.  It goes back to your original question of whether or not I could validate the federated server.  Apparently the instance of ArcGIS Server was not completely federated with Portal in my case.  Even though I could validate it through the Portal Home page ( i.e. /home/organization.html and selecting the "Servers" tab). 

(Pardon the rambled dump of information that is about to follow, but I pulled it from my notes which aren’t written as a well-developed story.)  I think it stems back to some issues I was having with getting certificates loaded properly on the server.  At that time I was getting an error "Invalid SSL certificate found.  PKIX path building failed..... ".  We ended up having to enable client certificates using a NETSH command (our resident server admin took care of it so I don't know all the details).  After which federating through the Portal Home page still wasn't working, so I dug into it a bit more.  In the Portal logs there was a 403 "not accessible" error associated with a link to the ArcGIS Portal Directory (i.e. /sharing/portals/self/servers/register).  On a whim I tried navigating to that link within a browser.  I noticed that it gives all of the same options to federate a server as the Portal Home page did.  I entered the information, checked "is hosted" to true, and clicked "register".  When I went back to the Portal Home federation page the server was now federated and listed as the hosting server.  Clicking "Validate Server" verified that all appeared to be configured properly.  Well when I tried a test in portal (add a zipped shape file and publish as feature layer), another error occurred.  This time it was “Failed to publish item…….exception.  Hostname in certificate didn’t match”.  To get past this I had to export the certificate used to configure https site bindings within IIS (root certificate with the private key), then import the certificate through the ArcGIS Server Administrator Directory (Home>machines>”machine name”>sslcertificates>importexistingservercertificate).  After that I was able to finish configuring the server to use the new certificate for SSL.  This finally brings us to the error that I originally posted.  The site wouldn’t publish a feature layer (Failed to publish item….. .zip …… could not decrypt token.  Token may not be valid”.  While doing some digging I found out that it’s possible to import all services within a federated server using the ArcGIS Server Administrator Directory (Home>Services>Supported Operations>federate).  However, this wasn’t an option on my page.  This is what lead me to believe that the server wasn’t completely federated.  So I then unregistered the server federation through the ArcGIS Portal Directory (REST endpoint).  Then going back to the Portal Home page I was finally able to federate the server properly.  Testing proved that a feature layer could now be published.

Again apologies to all for the long winded info dump.  I just wanted to throw it out there in case anyone else runs into the same problem.

View solution in original post

8 Replies
JonathanQuinn
Esri Frequent Contributor

What version are you using?  Can you validate the federated Server?

0 Kudos
EricMahaffey1
Occasional Contributor

Hi Jonathan.  We're running v10.3.1 (both Portal and ArcGIS Server), and have configured a single server with dual web adaptors.  The instance of ArcGIS Server validates, and is also the hosting server.

0 Kudos
EricMahaffey1
Occasional Contributor

Another thing that's puzzling me is that I'm not using Portal's built in identity store token based authentication.  I'm using  Windows Active Directory and PKI to secure access.  So why is the error referencing an issue with token decryption?

0 Kudos
JonathanQuinn
Esri Frequent Contributor

Internally, the communication between Server and Portal will still use tokens.  Can you try to login to the Server Admin API using a portal token?  Go to the Admin API and then instead of using the PSA, follow the instructions below that to use a Portal token instead.

0 Kudos
EricMahaffey1
Occasional Contributor

Thanks for the suggestion Jonathan.  I didn't see any instructions in you message.  Is this what you meant?

Accessing the Administrator Directory on a federated server—Portal for ArcGIS (10.3 and 10.3.1) | Ar... 

I'm using Windows Active Directory Authentication with PKI for both ArcGIS Server and Portal.  When I hit the ArcGIS Administrator Directory the browser prompts me to select PKI certficate and PIN in order to authenticate.  I can't find an option to login using a Portal Token.  The admin page won't even let me "Signout".

0 Kudos
JonathanQuinn
Esri Frequent Contributor

Sorry for the late reply.  Does it matter if you go through 6443, or is that what you're doing already?    I think it may be best to reach out to Technical Support so they can take a closer look at the setup and see what could be wrong.

0 Kudos
EricMahaffey1
Occasional Contributor

I ended up figuring out the problem.  It's a long story so I'll try to explain all that I found and resolved.  It goes back to your original question of whether or not I could validate the federated server.  Apparently the instance of ArcGIS Server was not completely federated with Portal in my case.  Even though I could validate it through the Portal Home page ( i.e. /home/organization.html and selecting the "Servers" tab). 

(Pardon the rambled dump of information that is about to follow, but I pulled it from my notes which aren’t written as a well-developed story.)  I think it stems back to some issues I was having with getting certificates loaded properly on the server.  At that time I was getting an error "Invalid SSL certificate found.  PKIX path building failed..... ".  We ended up having to enable client certificates using a NETSH command (our resident server admin took care of it so I don't know all the details).  After which federating through the Portal Home page still wasn't working, so I dug into it a bit more.  In the Portal logs there was a 403 "not accessible" error associated with a link to the ArcGIS Portal Directory (i.e. /sharing/portals/self/servers/register).  On a whim I tried navigating to that link within a browser.  I noticed that it gives all of the same options to federate a server as the Portal Home page did.  I entered the information, checked "is hosted" to true, and clicked "register".  When I went back to the Portal Home federation page the server was now federated and listed as the hosting server.  Clicking "Validate Server" verified that all appeared to be configured properly.  Well when I tried a test in portal (add a zipped shape file and publish as feature layer), another error occurred.  This time it was “Failed to publish item…….exception.  Hostname in certificate didn’t match”.  To get past this I had to export the certificate used to configure https site bindings within IIS (root certificate with the private key), then import the certificate through the ArcGIS Server Administrator Directory (Home>machines>”machine name”>sslcertificates>importexistingservercertificate).  After that I was able to finish configuring the server to use the new certificate for SSL.  This finally brings us to the error that I originally posted.  The site wouldn’t publish a feature layer (Failed to publish item….. .zip …… could not decrypt token.  Token may not be valid”.  While doing some digging I found out that it’s possible to import all services within a federated server using the ArcGIS Server Administrator Directory (Home>Services>Supported Operations>federate).  However, this wasn’t an option on my page.  This is what lead me to believe that the server wasn’t completely federated.  So I then unregistered the server federation through the ArcGIS Portal Directory (REST endpoint).  Then going back to the Portal Home page I was finally able to federate the server properly.  Testing proved that a feature layer could now be published.

Again apologies to all for the long winded info dump.  I just wanted to throw it out there in case anyone else runs into the same problem.

View solution in original post

JohnPlunkett
Esri Contributor

Thanks had the same issue on 10.6 pre-release unfederated and federated fixed it

0 Kudos