Select to view content in your preferred language

Publishing a service (A tale of two users)

4769
7
Jump to solution
08-11-2015 11:35 AM
RandallClark2
Frequent Contributor

So i have two users; arcgis_db and AD\raclark, one can publish a service the other can not.

It all goes fine till i get to the 'service editor' screen and click 'analyze'. One user, arcgis_db comes back clean and ready to go the other user AD\raclark gets the dread 00179 error 'layers data source must be registered' however the the database i am using is registered with my ArcGIS Server site.

When i look at the server logs i see this...

Server Log

Message:Target:Machine:Code:Method Name:
The connection property set was missing a required property or the property value was unrecognized. Underlying DBMS error[[Microsoft][ODBC Driver 11 for SQL Server][SQL Server]Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.No extended error.]" DataValidator.GPServerAFGIS.AD.FULLERTON.EDU-1ValidateServerDataStore.Execute

So i can not figure it out. one user can publish a service the other user can not and it stalls out when it comes to registering data with the server.

So what is about the users that is causing this?

arcgis_db is mapped to the 'public' and 'sysadmin' server roles; it is also mapped to the 'Facilities' database as 'db_owner'. So it is the dbo and and 'sysadmin'. its also SQL server authenticated login.

AD\raclark is a mapped to the 'public' server role; he is also mapped to the 'Faclities' database as 'public' and 'data_editor' role (data editor role is given SELECT, INSERT, UPDATE, DELETE privileges on each of the feature datasets / feature classes in the database). He is OS authenticated login.

Also...

SQL Server, Windows Server 2012R, drivers are current and correct, arcgis 10.3, arcgis server 10.3

Solved!

It had to do with how the AGS (ArcGIS Server) account was set up. The AGS is a local account not a AD account, because of this it uses db authentication not OS authentication. And all accounts that have to register data with the server have to use the same authentication as the AGS account.

So because the AGS account (in this case) is db authentication all accounts that are going to register data with the server have to use the same db authentication method.

So since my named account was using OS it would not be able to register anything with the server.

in summary

AGS uses db authentication then the users have to use db authentication, AGS uses OS authentication then the users have to use OS authentication.

A very important point to make and consider when setting up the AGS account.

1 Solution

Accepted Solutions
RandallClark2
Frequent Contributor

So figured it out (and will update the post accordingly) but It had to do with how the AGS (ArcGIS Server) account was set up. The AGS is a local account not a AD account because of this it use db authentication not OS authentication. So because the AGS account is db authentication all accounts that are going to register data with the server have to use the same authentication mode as the AGS account when connecting to the database, in this case db authentication.

So since my named account was using OS it would not be able to register anything with the server.

in summary

AGS uses db authentication then the users have to use db authentication, AGS uses OS authentication then the users have to use OS authentication.

A very important point to make and consider when setting up the AGS account.

View solution in original post

7 Replies
JakeSkinner
Esri Esteemed Contributor

Hi Randall,

When you register a database as a data store, it uses the database credentials you are connected and stores this information with the data store.  So, in this case you would need to create to data stores:

1.  When you are connected as 'arcgis_db'

2.  And another when you are connected as 'AD\raclark'

RandallClark2
Frequent Contributor

Hi jake,

Thanks for the response so i went in to ArcGIS Sever Manager to register my database (quicker and easier) and did one for my 'arcgis_db' user using the .sde file for his connection, it worked fine.

I then tried to that for the other user 'AD\raclark' using his .sde file and still the same error " The login is from an untrusted domain and cannot be used with Windows authentication"

0 Kudos
JakeSkinner
Esri Esteemed Contributor

Make sure your ArcGIS Server Account user (i.e. arcgis) is added to the database and has read/write privileges to the data.

0 Kudos
RandallClark2
Frequent Contributor

Hi Jake,

The server account is added to the database. Its mapped to the 'sysadmin' role in the server to ensure that it has the right privileges.

0 Kudos
JakeSkinner
Esri Esteemed Contributor

I ran into a similar issue last week.  Make sure the arcgis server account is mapped to the database as well.  Even though it has sysadmin privileges, this fixed the issue I ran into.

screen1.PNG

RandallClark2
Frequent Contributor

Hi Jake,

I double checked and the 'arcgis' account is mapped to that database.

0 Kudos
RandallClark2
Frequent Contributor

So figured it out (and will update the post accordingly) but It had to do with how the AGS (ArcGIS Server) account was set up. The AGS is a local account not a AD account because of this it use db authentication not OS authentication. So because the AGS account is db authentication all accounts that are going to register data with the server have to use the same authentication mode as the AGS account when connecting to the database, in this case db authentication.

So since my named account was using OS it would not be able to register anything with the server.

in summary

AGS uses db authentication then the users have to use db authentication, AGS uses OS authentication then the users have to use OS authentication.

A very important point to make and consider when setting up the AGS account.