An insecure item from ArcGIS Portal's Server URL is being loaded

668
7
Jump to solution
01-10-2018 08:36 AM
MichaelSchoelen
Occasional Contributor III

Long story short: An item from our portal server is skipping around the portal URL, and loading as its own resource. This is causing a problem because the server does not have its own certificate. It should be bundled up with the portal resources.

Note: https://internal.gis.bisnet.com is on https://server01.ina.bisnet.com

We have ArcGIS Enterprise deployed. Everything is secure, however when a hosted feature service is loaded in a new web map, the site is flagged as insecure.

In Google Chrome Developer tools, I loaded the site to understand what insecure resource was being loaded.

  • It notes that my portal site (https://internal.gis.bisnet.com --example) IS secure.
  • However, it is also showing the name of the server that portal is on (https://server01.ina.bisnet.com) as an INSECURE resource. This is interesting, because everything should be coming through the portal URL (internal.gis.bisnet.com).

Google Chrome security report

I took a look at the Google Chrome sources list, to determine what resource was loading from server01 (skipping around portal).

  • It might be an item from our Webadaptor (called team)
  • It appears to be something under the "self" properties

Google Chrome sources

How do I modify my settings so this resource travels through portal, and does not appear as its own resource?

0 Kudos
1 Solution

Accepted Solutions
MichaelSchoelen
Occasional Contributor III

So I'm not sure if this was the Web Context URL or simply the name of the web adaptor being incorrect, but the solution was to go to the portaladmin page on portal, navigate to the web adaptor properties, add "/edit" to the end of the URL, and update the name of the web adaptor from the server name to the domain name used by portal. That resolved all of the issues! 

Thank you! Your comments put me on the right track.

View solution in original post

7 Replies
RandallWilliams
Esri Regular Contributor

I'm unsure I completely understand. A few questions:

Are Portal and Server installed on separate machines?

How many web adaptors are you using, and where are they located? There should be two, one for Portal and one for Server.

Portal is on server01.ina.bisnet.com, correct?

If you're installed on two separate machines, then that puts ArcGIS Server on internal.ina.bisnet.com, is that correct?

The response to the call to the SELF resource would be coming from the Portal.

MichaelSchoelen
Occasional Contributor III

Our portal website is: https://internal.gis.bisnet.com/team

Portal and Server are installed on separate machines.

"The response to the call to the SELF resource would be coming from the Portal." -- That is correct.

0 Kudos
RandallWilliams
Esri Regular Contributor

Ok, got it. Does that mean that https://internal.gis.bisnet.com/team is a DNS alias that points to your web adaptor?

If that's the case, that would imply that the CN issued for your cert is also internal.gis.bisnet.com. Is that correct?

If those are correct, I'd address this issue by adding updating your cert to include server01.ina.bisnet.com in the cert's SAN (Subject Alternative Name). I think that you're getting that error because the browser doesn't believe that the cert that's presented matches the hostname you're reaching. Setting the SAN would help correct that.

MichaelSchoelen
Occasional Contributor III

Yep!  https://internal.gis.bisnet.com/team is the DNS alias that points to our web adaptor.

And we have a wildcard cert from a CA for *.gis.bisnet.com

Is there guidance on how to set the SAN? I've read this, but we are using an already-signed certificate. 

I hoped we could set that somewhere in the SSL certificate properties in Portal Admin Directory?

SSL Certificates

0 Kudos
PhilipMcNeilly
Esri Contributor

Have you set the webcontextURL for portal to point at the DNS Alias?  If not,  this could be why the requests are being sent to the portal machine name, and as a result, resulting in a certificate error, rather than being sent via the DNS Alias.

Use a reverse proxy server with Portal for ArcGIS—Portal for ArcGIS (10.6) | ArcGIS Enterprise 

RandallWilliams
Esri Regular Contributor

Philip's response above is going to be the best bet. I totally forgot about that setting. Updating the SAN would also have worked, but Philip's is the 'proper' fix.

0 Kudos
MichaelSchoelen
Occasional Contributor III

So I'm not sure if this was the Web Context URL or simply the name of the web adaptor being incorrect, but the solution was to go to the portaladmin page on portal, navigate to the web adaptor properties, add "/edit" to the end of the URL, and update the name of the web adaptor from the server name to the domain name used by portal. That resolved all of the issues! 

Thank you! Your comments put me on the right track.