Make an AGS file for ConvertWebMapToMapDocument with Portal

897
6
03-11-2020 04:12 PM
ZianChoy
Occasional Contributor

I have an ArcPy script that calls ConvertWebMapToMapDocument—Help | Documentation and passes it an AGS file. In the old days, the AGS file was linked to a specific instance of AGS (e.g. URL of "https://TerriblePun.datacenter.local:6443/arcgis" + username/password of an AGS user account).

Now, my company is going to Portal 10.7.1 and becoming a little more highly available so I want to use a URL that looks more like "https://BoringPublicSubdomain.example.net/fw_arcgisportal" + username/password of a Portal account. That way, I don't have to maintain a different AGS file for each server that is running Server.

What is the best way to allow access to secured map services from that function? I tried 3 ways to generate an AGS file and failed all 3 times.

First, I tried to force ArcCatalog 10.7.1 to generate an AGS file with the above parameters. That failed.

---------------------------
Add ArcGIS Server
---------------------------
We were unable to connect to: https://arcgis.firstwatch.net/fw_arcgisportal.

Error: Proxy server got bad address from remote server (verify the server is running). (status code 504).
---------------------------
OK   
---------------------------

Next, I tried using the local host file.

1. Add "127.0.0.1 FW_Local_AGS" on the server that will ultimately run the geoprocessing service.

2. Add "127.0.0.1 FW_Local_AGS" to my laptop's host file and fill in the IP address of the AGS server (not 127.0.0.1).

3. In ArcCatalog, use a URL of "https://FW_Local_AGS:6443/arcgis" + username/password of a Portal account

That didn't work either.

---------------------------
Add ArcGIS Server
---------------------------
We were unable to connect to: https://FW_Local_AGS:6443/arcgis.

Error: Bad syntax in request. (status code 400).
---------------------------
OK   
---------------------------

Finally, I repeated the host file idea with the Primary Site Administrator's account (I know this is a big security no-no but I also know that some things in AGS don't work right with federated Portal accounts). I got the same error:

---------------------------
Add ArcGIS Server
---------------------------
We were unable to connect to: https://FW_Local_AGS:6443/arcgis.

Error: Bad syntax in request. (status code 400).
---------------------------
OK   
---------------------------

0 Kudos
6 Replies
ZianChoy
Occasional Contributor

I found Print maps that contain secured services—Documentation (10.7) | Documentation for ArcGIS Enterprise  but it also requires an existing AGS file (er...connection). What is the best way to allow an AGS print service on a federated AGS server to access secured map services that are published to the same AGS machine (e.g. PrintService on Server A trying to access secured map service B on Server A).

0 Kudos
TanuHoque
Esri Regular Contributor

Hi Zian Choy

Here is what is said in the first section of the help you mentioned:

Web-tier authentication

If your ArcGIS Server is federated with an ArcGIS Enterprise portal and only the portal's ArcGIS Web Adaptor uses web-tier authentication (IWA, PKI, Basic, and so on), printing secured services will work as expected. The same is true for deployments that do not use web-tier authentication systems.

However, if your ArcGIS Server site's Web Adaptor uses web-tier authentication, the PrintingTools service and custom print services will not be able to print any of your site's services. This restriction exists for both federated and stand-alone ArcGIS Server sites.

Reading your post, it seems like it should just work for you.

I have few questions:

  1. the doc that I copy/pasted above, which category your setup falls into?
  2. are you using print service published from ArcMap? if so, I will strongly recommend you to use ArcGIS Pro to share/publish your print service.
  3. may I know why are you using arcpy based print service instead of using the Export Web Map tool that comes with ArcGIS Pro and ArcMap?
    In case you need to use arcpy based print service, here is the doc on how to create use embedded credentials from arcpy script.
    Web map printing with arcpy.mp—ArcPy | Documentation 

Thanks.

Tanu

0 Kudos
ZianChoy
Occasional Contributor

>1

Federated with a portal and using the authentication built into Portal for ArcGIS.

>2

Yes, I am.

>3

The major motivations are:

1. Returning errors as messages in the GP service output. With the built-in service (as of 10.3.1), errors go to the AGS log rather than the GP output so the client (e.g. Web App Builder or a custom JS API web map) has no way to know what went wrong with the GP job.

2. Running asynchronously to maximize the responsiveness of the application calling the service.

0 Kudos
TanuHoque
Esri Regular Contributor

Thanks.

Hmm. It should just work since you are using the built-in authentication.
Just to the sake of trying, can you pls try with the out of the box print service and see whether that works?

I infer you are in 10.3.1 server/portal version, right? in that case, you can't use ArcGIS Pro to create a print service (you need at least 10.6.1, but I'd recommend something higher as a lot of enhancements went in).

Re: asyn and error outputs to the client:

You should be able to change these settings for the default print service (or any print service you publish from Export Web Map tool) from ArcMap or the Manager site. Did that not work for you?

I believe there might be a downside to async service - it might not work with the portal Map Viewer print option and any Web App Builder's print widget.

0 Kudos
ZianChoy
Occasional Contributor

Actually, I'm trying to run the GP service on AGS/Portal 10.7.1. It used to run in 10.3.1. I'll hold off on reading too much into your post to give you a chance to revise your thoughts.

>built-in authentication

I'm not quite sure what you mean. The HTTP POST is being sent to the GP service by a .NET program that's putting together the JSON from scratch.

I would not expect an AGS GP service to infer that given the below, the GP service should have unfettered access to all the secured map services mentioned in the webmap JSON.

1. a HTTP POST with a JSON blob

2. a token in the POST body (for accessing the secured GP service)

3. A few other trivial parameters in the post body (f=json, layout...)

0 Kudos
MaxSquires
Occasional Contributor

secured services require some kind of authentication. i was first trying to use the arcpy.ImportCredentials method, but arcpy (pro version) no longer allows you to automatically create an arcgis server connection file and since i wanted to automate this i looked for another way. 

 

the other option is a token.  the web map as json contains 4 root keys: "mapOptions", "operationalLayers", "exportOptions", and "layoutOptions".  "operationalLayers" is a list of json objects.

 

if you iterate over those layers and look for your own hostname (or you have other requirements) in the "url" key, you can append a portal token key to the json to authenticate for each required layer.  see the mock up example below from my ExportWebMap python geoprocessing script for details.

 

 

import json
import boto3
import requests

def get_portal_token(portal_host, saj):
    """
        this gets a token for authentication into portal for arcgis
    """
    url = "https://{}/portal/sharing/rest/generateToken/".format(portal_host)
    params = {'f': 'pjson', 'username': saj["username"], 'password': saj["password"], 'referer': "https://{}/portal".format(portal_host)}
    token_json = requests.post(url, params)
    token = token_json.json()["token"]
    
    return token

#...
portal_host = "someboringschooldomain.edu"
WebMap_as_JSON = arcpy.GetParameterAsText(0)
#get username password:
secret = get_secret(siteadmin_secret, aws_region)
token = get_portal_token(portal_host, secret)
wmaj = json.loads(WebMap_as_JSON)
for layer in wmaj["operationalLayers"]:
    if portal_host in layer["url"]:
        layer.update({"token": token})
result = arcpy.mp.ConvertWebMapToArcGISProject(json.dumps(wmaj), layoutTemplate)
#...

 

 

 

 

 

0 Kudos