arcgis server administration issue

AnthonyCalderon · ‎11-29-2012

Hi All -

We are having an issue connecting to arcgis server 10.1 from arc catalog. We are able to log into web manager interface but arc catalog returns: "Access to this resource is forbidden, regardless of authorization." I had it working on one workstation right after the server was installed but now none of our workstations are able to connect through catalog. We are running 10.1 SP1 on the server and clients.

Additional note, we are able to connect from catalog if we choose "use" but both publish and administer return the error above. I have tried both internal auth and windows auth and both return the same error. I have searched the interweb and have not found any one else reporting this issue.

Any help would be greatly appreciated.

nicogis · ‎12-12-2012

Rachel, what do you see in fiddler (www.fiddler2.com) when you connect with arccatalog?

JasonKolbow · ‎12-12-2012

Hey Rachel,

Unless you have that token set to never expire with that particular user, you're going to run into major problems accessing the service with that method. I've got a secure service that I have access to on my GIS Server, and when using Fiddler in Catalog to preview, I just get pushed to our load balancer machine /arcgisoutput.
Ex: maps.production.com/arcgisoutput/xxxxxxxx

Is this the behavior that you're observing for other services? I noticed it to be the same on a secure or non-secure service when connected as an administrator of the GIS Server through ArcCatalog.

JMK

olivierthomas · ‎12-12-2012

Hi,

Maybe you must reconfigured the web adaptator using a shared key

Olivier T.

RachelS · ‎12-13-2012

Thanks for your replies,
I just installed Fiddler on my server and tried to connect to the service in ArcCatalog, when I look back at Fiddler I don't see any error messages in stats.
The token is set for a years use. I wonder before I connect to the web service in ArcCatalog should I do something with the token first?

In Flex Builder I added it to my config xml along with the token path and when I open the viewer it brings up the Sign In window but when I add credentials it gives error 2032 which Adobe says it occurs when the url or file is blocked or not found by HTTPService call and to check it in an url. I have done this and it works fine.

I see other agencies are using the same service on public viewers that I'm trying to access so there must be some way around it.

I Use the Services on another non secure external server and I have no problem connecting to it and using it in Flex, I then use WMS from the same agency I'm trying to connect to the secure services, the WMS connected fine, it must have something to do with the fact that it's a secure service.

Oth how do I reconfigured the web adaptator using a shared key?

Rachel

Anonymous User · ‎01-03-2013

Rachel,

Did you ever get to the root cause of your forbidden access issue. I am running into the same problem but nothing is obvious is starting at me & forum responses on the topic are both rare & also vague on root cause of issues.

Brad

RachelS · ‎01-06-2013

Hi,
I've found the problem to my issues, it's because my server wasn't public, I hadn't realised the IP needs to be open for the map service. You learn something new everyday!
Rachel

AnthonyCalderon · ‎01-23-2013

Hi all -

We still haven't been able to resolve this on our end. Our GIS folks have been just saving the .sd file to the server and then publishing through the web interface for now, but this is starting to become more of a nuisance.

We are not connecting through the web adapter, we are connecting to http://<serverName>:6080/arcgis We can successfully open this url in a web browser without error from the same workstation that is receiving the error in arcgis. Both server and workstation are on the same subnet and joined to the same domain. The arcgis server service is running as a domain account. All windows firewalls are turned off.

Any other thoughts?

AnthonyCalderon · ‎01-23-2013

Found solution to our issue. I finally ran a wireshark packet capture to figure out what was going on. basically, it comes down to the fact that it needs port 6443 open as well as port 6080. Catalog uses port 6080 for http traffic and 6443 for httpS traffic (which I have not seen documented anywhere). Turns out that catalog uses the proxy settings configured for IE. In our case, we require our users to go through a proxy server for httpS traffic only and our proxy server was not allowing the connection to the internal server. Unfortunately, catalog does not give you an option to use any other settings unlike most normal programs. Once we disabled the proxy settings in IE we were able to administer our server, but then our users are unable to access httpS sites on the internet.

Hopefully this helps others out there and maybe ESRI will add the feature to not use IE's proxy settings in their next patch.

Cheers!

MarkChilcott · ‎04-22-2013

Thanks Anthony. Same problem, and this was the solution.

AndrewBrown1 · ‎11-06-2013

I'm having the same problem, but I'm not using a proxy server. Our AGS is set up for token authentication via web adapter, but the adapter is on a separate machine.

Tried to connect via http://server:6080/arcgis - access denied. forbidden
Tried to connect via https://server:6443/arcgis - our certificate is currently questionable, but still access denied. forbidden.

I also cannot connect to the AGS Server Manager from my machine. I try http://server:6080/arcgis/manager, and the scrollbar appears, but it doesn't move past that page. Console messages relay error 403 - forbidden.

I looked into the firewall rules on the server. All traffic from my machine is allowed on all ports, nothing is blocked. My user on the server currently has admin access, as well as being in the agsadmin group.

No clue why I cannot access the AGS box from my machine. I also cannot create services using service definition files, but that is another issue.