Select to view content in your preferred language

Direct request to arcgis/rest/services succeeds, via webadaptor it responds with 'Invalid token'

368
3
08-27-2025 03:27 AM
LarissaDrysdale
Emerging Contributor

We have the following problem within ArcGIS Enterprise:

If arcgis/rest/services/... is accessed via the webadaptor, the token generated via portal/sharing/generateToken is not considered valid. In other words an Invalid Token repsonse is returned.

We checked:

a. The token has not expired (checked and is therefore accepted by other endpoints as described above).
b. The same base URL is used when generating the token (i.e., the domain name in both instances).

Below I describe the situations where this problem surfaces in ArcGIS Enterprise in Portal and in ArcGIS Server Manager

Portal
If you have an item on the content page that isn't publicly shared (i.e., with the owner/organization), you can't view it in the map viewer.
In the developer screen of the browser, we see that the token generated by the Portal via portal/sharing/generateToken is accepted by requests to /arcgis/admin/services/….
but not by requests to /arcgis/rest/services/…  response {"error":{"code":498,"message":"Invalid Token","details":[]}}

Server Manager
If you log in via https://domainname/arcgis/manager, you get logged out, because the list with services can not be shown.
In the developer screen of the browser, we see that a token is generated via portal/sharing/generateToken
this is accepted by requests to requests to arcgis/admin/…
but not by requests to /arcgis/rest/services/…. it returns an empty response followed by a revokeToken request /portal/sharing/rest/oauth2/revokeToken

If you go to the server manager via https://domainname:6443/arcgis/manager, you can see the list, and I can also click through to a service without any error.

Questions

1. Does anyone recognize this behaviour? And how did you resolve this situation?
2. What specific settings does arcgis/rest/services use to check if the token is valid? In other words:

  1. Which settings do we have to check / compair?
  2. What could cause a token generated by portal/sharing to not be accepted by arcgis/rest/services?
0 Kudos
3 Replies
JakeSkinner
Esri Esteemed Contributor

Hi @LarissaDrysdale,

1.  What version of ArcGIS Enterprise are you running?

2.  Within Portal > Organization > Settings > Servers, is the Administration URL set to the Web Adaptor URL or the 6443 URL?

0 Kudos
LarissaDrysdale
Emerging Contributor

Hi @JakeSkinner ,

1. We are running 11.5

2.  The admin url is set to the Web Adaptor URL, so not :6443. It is the same as at our production environment which has no problems (and is still 11.4 by the way)

0 Kudos
LarissaDrysdale
Emerging Contributor

Hi @JakeSkinner,

After my reply above, we were thinking:

When portal/sharing/generatetoken creates a token for the arcgis webadaptor address (so domainname without portnumber) then arcgis/rest/services judges that the token is invalid.

And when the token is generated for the direct address (so domainname with portnumber) then arcgis/rest/services judges that the token is valid. 

Could this be due to a sharedkey somewere being not in sync? Are there different shared keys being used for the route via the webadaptor or direct to arcgis server? 

Could refederating arcgis server with Portal solve this problem? What happens when we refederate, do we loose data?

0 Kudos