ArcGIS Server 10.1 Windows Domain User store crashes

AllenGuan1 · ‎10-25-2013

This has happenned twice in the last 5 months since I installed ArcGIS for Server 10.1. I use "Windows Domain" for User Store, and "ArcGIS Server Built-in" for Role store. The authentication tier is GIS Server. This morning, the AGS server seemed to lose the connection to Windows Domain (AD). I can not login the Manager with my Windowss credential. Fortunately I have not disabled the primary site admin account yet so I logged on using the primary site admin. But inside the manager, I can not access the "Security -> User" tab. I tried restarting the AGS server, rebooting the server, no help. But after I reset to User Store back to "ArcGIS Server Built-in", and reset it back to "Windows Domain", everything started to work fine. Anybody know why? I definitely do not want this to happen again. I am at ArcGIS for server 10.1 SP1.

Allen

JeffSmith · ‎10-31-2013

When you configure to use the "Windows Domain" as the user store in ArcGIS Server Manager, one of the steps involves specifying the username/password of a domain account. This is how ArcGIS Server accesses Active Directory to get a list of all of the users. I suspect the password expired for the account you used in this process. This prevents ArcGIS Server from being able to authenticate with any domain users and explains why you could only access Server Manager with the primary site admin account.

I can think of only a couple of ways to work around this. One option is to reconfigure the security every time the password expires (or changes) for the account you use. Another option is to talk to your IT dept about creating a domain account for you to use whose password never expires. This is not an option for many companies though due to security policies forcing all domain accounts to change passwords on a regular basis.

AllenGuan1 · ‎10-31-2013

When you configure to use the "Windows Domain" as the user store in ArcGIS Server Manager, one of the steps involves specifying the username/password of a domain account. This is how ArcGIS Server accesses Active Directory to get a list of all of the users. I suspect the password expired for the account you used in this process. This prevents ArcGIS Server from being able to authenticate with any domain users and explains why you could only access Server Manager with the primary site admin account.

I can think of only a couple of ways to work around this. One option is to reconfigure the security every time the password expires (or changes) for the account you use. Another option is to talk to your IT dept about creating a domain account for you to use whose password never expires. This is not an option for many companies though due to security policies forcing all domain accounts to change passwords on a regular basis.

Jeff, thanks. Yes I used my personal AD account when setting up the Windows Domain user store, and the password expired every 3months. This "crash" occurred after I recently changed my password. I will use a domain account with no-password expire next time resetting the user store.

Allen

MikeDolbow · ‎02-05-2015

Do either of you know if there is a bug report for this, and/or if it is fixed in 10.2? I know it still says "Test Connection" in the wizard, which is totally ambiguous. If it really needs that account to maintain the connection to the domain controller, it's doing more than "testing", isn't it?!? I guess it can also depend on the AD group policy, but it certainly seems like a flimsy setup.