Select to view content in your preferred language

Problem Changing the ArcGIS Server Account

1036
7
07-20-2022 12:07 PM
JustinConnerWR
Frequent Contributor

When AGS was installed they used the default Domain\arcgis service account. For security reasons it's recommended to change this account. I successfully ran the "Configure ArcGIS Server Account utility", confirmed the new account had permissions to the ags folders, file shares, etc. Added the user to SQL databases. Confirmed the AGS service was running as the new domain account. Everything seemed good.

I am able to log into my laptop as the new domain account, access any data thats needed, read/write to SQL, and publish maps to AGS. Again everything seemed good. So I decided it was safe to disable the old domain\arcgis account. That's when the map services using OSA data connections failed, even the test map service created while logged in as the new account. Looking at the GDB locks all AGS map services were still using the domain\arcgis account.

The warning I see in AGS logs when restarting a service is:

The base table definition string "data layer name" is invalid. Underlying DBMS error[[Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. No extended error.].

And the corresponding error on the SQL host machine.

SSPI handshake failed with error code 0x8009030c, state 14 while establishing a connection with integrated security; the connection has been closed. Reason: AcceptSecurityContext failed.

Any thoughts would be helpful.

Tags (1)
0 Kudos
7 Replies
ChristopherPawlyszyn
Esri Contributor

Can you verify the syntax of the username and domain you used as an input for the Configure Service Account utility?

 

I've seen in the past where customers have used username@DOMAIN instead of DOMAIN\username and it actually created a local account as opposed to using the domain account, so worth a first-order check.


-- Chris Pawlyszyn
0 Kudos
JustinConnerWR
Frequent Contributor

I created the user account in active directory before running the utility. 

0 Kudos
ChristopherPawlyszyn
Esri Contributor

Understood, but the Services pane may indicate the software service running as .\user@DOMAIN as opposed to DOMAIN\user or user@domain, which would potentially cause the 'untrusted domain' error you received. You can also check in Computer Management -> Local Users and Groups -> Users to see if a local account was created as opposed to the domain account that should have been used.


-- Chris Pawlyszyn
0 Kudos
JustinConnerWR
Frequent Contributor

It all looks correct. The ArcGIS Server software service is running on the GIS server as DOMAIN\user. There are no local users on the GIS server.

0 Kudos
ChristopherPawlyszyn
Esri Contributor

Can you enable audit logging on the SQL Server side to see what credentials it is assuming are from an untrusted domain?

 

The configuration utility should have restarted the Windows service and automatically picked-up the new OSA account for the associated map services. May also want to check in the service workspace for the failed services to make sure they are using OSA.


-- Chris Pawlyszyn
0 Kudos
JustinConnerWR
Frequent Contributor

I just noticed that even though I confirmed AGS software is using the new domain service account. All ArcSOC.exe are running as the old user account. Republishing did not help.

0 Kudos
ChristopherPawlyszyn
Esri Contributor

Have you tried rebooting the machine yet? It should completely recycle the running processes and pick-up the new domain account, if the problem persists it may be worth opening a technical support case to dive into the behavior further.


-- Chris Pawlyszyn
0 Kudos