Registering server with Portal prior to federation?

Yes, they are the same URL's. Also, in AWS the CN defaults to the server name.

So I was able to federate with the following settings:

• Service URL: https://[server name]/server
• Admin URL: https://[server private IP]:6443/arcgis

However, using the private IP locks me out of any external access to my Portal and ArcServer services. I presume these settings are still not correct, as private ip would not work if portal and server were on separate machines?

Dear Jonathan,

Throughout this thread, you asked Richelle the following:

"In the error message Could not connect to the ArcGIS Server on machine '[Internal machine address], is the '[Internal machine address]' your Portal machine name?"

In my case, i am getting the above message where my internal machine address is the portal machine which is strange!

Note that i got this error whenever trying to validate the federation between portal and server. I also got a java.net error connection timeout. Also note that all my highly available system was working fine using Microsoft NLBs until we migrated to F5 (same VIP names, no reverse proxy rules, valid SSL certificates..). 

Here are the portal log:

/Msg>
<Msg time="2018-04-04T12:20:43,991" type="WARNING" code="207051" source="Portal Admin" process="2620" thread="13" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">Validation failed for federated server 'https://prdgisapp-nlb.domain.local:6443/arcgis'.</Msg>
<Msg time="2018-04-04T12:20:43,991" type="FINE" code="207051" source="Portal Admin" process="2620" thread="13" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">Validation failed for federated server 'https://prdgisapp-nlb.domain.local:6443/arcgis'. Validation steps. Step1: Error: java.net.ConnectException: Connection timed out: connect.
</Msg>
<Msg time="2018-04-04T12:21:28,619" type="INFO" code="216003" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Node prdgisweb1.domain.local is configured to be master.</Msg>
<Msg time="2018-04-04T12:21:28,619" type="INFO" code="216004" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Monitoring the standby nodes.</Msg>
<Msg time="2018-04-04T12:22:07,710" type="DEBUG" code="9999" source="Portal Admin" process="2620" thread="13" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">java.lang.RuntimeException: java.net.ConnectException: Connection timed out: connect
at com.esri.arcgis.portal.admin.core.util.HttpClient.get(HttpClient.java:152)
at com.esri.arcgis.portal.admin.core.client.ServerClient.getServerAdminInfo(ServerClient.java:260)
at com.esri.arcgis.portal.admin.core.federation.ServerFederationManager.a(ServerFederationManager.java:1625)
at com.esri.arcgis.portal.admin.core.federation.ServerFederationManager.a(ServerFederationManager.java:1558)
at com.esri.arcgis.portal.admin.core.federation.ServerFederationManager.validateAllServers(ServerFederationManager.java:1902)
at com.esri.arcgis.portal.admin.rest.federation.ServerFederationResource.getValidateAllServers(ServerFederationResource.java:111)
at sun.reflect.GeneratedMethodAccessor812.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60)
at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205)
at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75)
at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:302)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108)
at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147)
at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1511)
at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1442)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1391)
at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1381)
at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416)
at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:538)
at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:910)
at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:858)
at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:812)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.esri.commons.web.AppFilter.doFilter(AppFilter.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at com.esri.arcgis.portal.admin.rest.filters.AdminFilter.doFilter(AdminFilter.java:87)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at com.esri.arcgis.portal.util.TomcatValve.invoke(TomcatValve.java:43)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1083)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:640)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection timed out: connect
at java.net.DualStackPlainSocketImpl.connect0(Native Method)
at java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:79)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
at java.net.Socket.connect(Socket.java:589)
at sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:668)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:524)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.esri.arcgis.portal.admin.core.util.HttpClient$b.connectSocket(HttpClient$b.java:479)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at com.esri.arcgis.portal.admin.core.util.HttpClient.get(HttpClient.java:136)
... 52 more
</Msg>
<Msg time="2018-04-04T12:22:07,710" type="WARNING" code="207051" source="Portal Admin" process="2620" thread="13" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">Validation failed for federated server 'https://prdgisapp-nlb.domain.local:6443/arcgis'.</Msg>
<Msg time="2018-04-04T12:22:07,710" type="FINE" code="207051" source="Portal Admin" process="2620" thread="13" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">Validation failed for federated server 'https://prdgisapp-nlb.domain.local:6443/arcgis'. Validation steps. Step1: Error: java.net.ConnectException: Connection timed out: connect.
</Msg>
<Msg time="2018-04-04T12:22:29,50" type="INFO" code="216003" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Node prdgisweb1.domain.local is configured to be master.</Msg>
<Msg time="2018-04-04T12:22:29,50" type="INFO" code="216004" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Monitoring the standby nodes.</Msg>
<Msg time="2018-04-04T12:23:29,701" type="INFO" code="216003" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Node prdgisweb1.domain.local is configured to be master.</Msg>
<Msg time="2018-04-04T12:23:29,701" type="INFO" code="216004" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Monitoring the standby nodes.</Msg>
<Msg time="2018-04-04T12:24:30,193" type="INFO" code="216003" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Node prdgisweb1.domain.local is configured to be master.</Msg>
<Msg time="2018-04-04T12:24:30,194" type="INFO" code="216004" source="Portal" process="1728" thread="1" methodName="" machine="PRDGISWEB1.domain.local" user="" elapsed="">HA: Monitoring the standby nodes.</Msg>

Do you have a privatePortalURL set for Portal? If not, on the Server machine, can you reach https://portal.domain.com:7443/arcgis/sharing/rest/?

Hi Jonathan, yes I have a privatePortalURL set for portal and the webcontext URL looks as follows:

{"WebContextURL":"https://publicname.domain.com/portal","privatePortalURL":"https://prdgisweb-nlb.domain.local:7443/arcgis"}

Regarding whether I can access sharing/rest from arcgis server, the answer is yes.

Something else, here are the arcgis server logs (note that all ssl communication is green on both IIS and tomcat servers:

<Msg time="2018-04-04T19:24:44,781" type="DEBUG" code="9999" source="Admin" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Token is not a valid Admin token. Trying portal token next. Token = cT8ja3ll9PPwQhCKU6efXQi4CxTjZZimUPv0RMPGv1JoUNeSUfXXGaKt80IHxr_94aSUjsUFWbMHuFnjc250ngMOTYrnyM3XQ5makg7zpJXLMh_rh_x0VgtlcmHGOkls1VZo77IHNb9aJn58LSwQkC8Uz5a-uMGAKXkbh8iGKOlXQN5YjdhVeNiZxkFgOL0Shd6MN87YykGe0ng7BKbRMYwwDzy19n6YtxubeEM_p5smGx0vwqmAz7B8lXpBT28OwDL0Yn1idL1VfuXmxy1qzw.., referrer = https://prdgisapp-nlb.domain.local:6443/arcgis/manager/Could not decrypt token. Token may not be valid.</Msg>
<Msg time="2018-04-04T19:24:47,789" type="DEBUG" code="9999" source="Admin" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Token is not a valid Admin token. Trying portal token next. Token = cT8ja3ll9PPwQhCKU6efXQi4CxTjZZimUPv0RMPGv1JoUNeSUfXXGaKt80IHxr_94aSUjsUFWbMHuFnjc250ngMOTYrnyM3XQ5makg7zpJXLMh_rh_x0VgtlcmHGOkls1VZo77IHNb9aJn58LSwQkC8Uz5a-uMGAKXkbh8iGKOlXQN5YjdhVeNiZxkFgOL0Shd6MN87YykGe0ng7BKbRMYwwDzy19n6YtxubeEM_p5smGx0vwqmAz7B8lXpBT28OwDL0Yn1idL1VfuXmxy1qzw.., referrer = https://prdgisapp-nlb.domain.local:6443/arcgis/manager/Could not decrypt token. Token may not be valid.</Msg>
<Msg time="2018-04-04T19:24:50,784" type="DEBUG" code="9999" source="Admin" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Token is not a valid Admin token. Trying portal token next. Token = cT8ja3ll9PPwQhCKU6efXQi4CxTjZZimUPv0RMPGv1JoUNeSUfXXGaKt80IHxr_94aSUjsUFWbMHuFnjc250ngMOTYrnyM3XQ5makg7zpJXLMh_rh_x0VgtlcmHGOkls1VZo77IHNb9aJn58LSwQkC8Uz5a-uMGAKXkbh8iGKOlXQN5YjdhVeNiZxkFgOL0Shd6MN87YykGe0ng7BKbRMYwwDzy19n6YtxubeEM_p5smGx0vwqmAz7B8lXpBT28OwDL0Yn1idL1VfuXmxy1qzw.., referrer = https://prdgisapp-nlb.domain.local:6443/arcgis/manager/Could not decrypt token. Token may not be valid.</Msg>
<Msg time="2018-04-04T19:24:51,951" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">In RServlet</Msg>
<Msg time="2018-04-04T19:24:51,951" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">In RServlet</Msg>
<Msg time="2018-04-04T19:24:51,953" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">In AdminSecurityPreHandler</Msg>
<Msg time="2018-04-04T19:24:51,953" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">In AdminSecurityPreHandler</Msg>
<Msg time="2018-04-04T19:24:51,953" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Handler: InfoHandler</Msg>
<Msg time="2018-04-04T19:24:51,953" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Handler: InfoHandler</Msg>
<Msg time="2018-04-04T19:24:51,958" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Time (ms): 7 (/arcgis/rest/info/healthcheck)</Msg>
<Msg time="2018-04-04T19:24:51,958" type="DEBUG" code="9999" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Time (ms): 7 (/arcgis/rest/info/healthcheck)</Msg>
<Msg time="2018-04-04T19:24:53,779" type="DEBUG" code="9999" source="Admin" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Token is not a valid Admin token. Trying portal token next. Token = cT8ja3ll9PPwQhCKU6efXQi4CxTjZZimUPv0RMPGv1JoUNeSUfXXGaKt80IHxr_94aSUjsUFWbMHuFnjc250ngMOTYrnyM3XQ5makg7zpJXLMh_rh_x0VgtlcmHGOkls1VZo77IHNb9aJn58LSwQkC8Uz5a-uMGAKXkbh8iGKOlXQN5YjdhVeNiZxkFgOL0Shd6MN87YykGe0ng7BKbRMYwwDzy19n6YtxubeEM_p5smGx0vwqmAz7B8lXpBT28OwDL0Yn1idL1VfuXmxy1qzw.., referrer = https://prdgisapp-nlb.domain.local:6443/arcgis/manager/Could not decrypt token. Token may not be valid.</Msg>
<Msg time="2018-04-04T19:24:54,859" type="SEVERE" code="9000" source="Rest" process="11076" thread="14" methodName="" machine="PRDGISAPP3.domain.local" user="" elapsed="">Error performing query operation Wait time of the request

Hi Jonathon

I am really confused about the privatePortalURL.  We are setting up high availability with portal in dmz (lets say portal1.domain and portal2.domain - they also have web adapter installed).  There is a f5 loadbalancer (gis.domain) referencing portal1.domain and portal2.domain.

ArcGIS server is inside the firewall (server1.domain and server2.domain (with web adapters)) and there is a load balancer for these arcgisserver.domain.

We have successfully set up Active Directory on the portals.  We have successfully federated the servers (via arcgisserver.domain).  But once federated we can no longer access the server manager https://server1.domain:6443/arcgis/manager or https://arcgisserver.domain:6443/arcgis/manager.  I get a perpetual please wait message with nothing in the logs to indicate the problem. If I unfederate then I regain access.

So now I am checking everything.  In this scenario should the 

privatePortalURL="https://gis.domain:7443/arcgis"  (address to f5 for portals)

or

privatePortalURL="https://arcgisserver.domain:7443/arcgis"  (address to f5 for servers)

Note we are using the same default web adapter context (arcgis) on all web adapters.

Any help appreciated as we seem to have reached an impasse on this one.

What URL did you use as the Admin URL during federation?  That's the only URL that you'll be able to use to access Server Manager.  Portal uses oauth and once you federate, Portal will record the Admin URL as a URL that can be used for oauth authentication.  The internal machine URLs won't work anymore. We're hoping to fix that in later releases of the software.

In regards to your comment that you're using the same web adaptor context for all web adaptors, are you using a different web adaptor for Portal and Server? You'll see unexpected results and your deployment likely won't fully work if you use the same one:

Common problems and solutions—Portal for ArcGIS (10.5.x) | ArcGIS Enterprise 

The privatePortalURL should be a URL that balances traffic between the Portals and is able to check the health of the Portals so it's not sending requests to a downed machine.  It'll be https://f5.domain.com:7443/arcgis, and within your F5, you'll have the pool of machines running Portal.  It can even be https://f5.domain.com/arcgis or even a custom context as long as you're handling the redirection and port translation.  If you can reach the Sharing API through the URL, you're good to set it as the privatePortalURL.

Good morning!

I'm having the same problem as the original poster. We have two machines:

- ArcGIS Portal + Web Adaptor

- ArcGIS Server + Web Adaptor + ArcGIS Data Store

From the first one I can access the Server, but I can't access the Portal machine from the Server one. Is that the problem? Should I contact the tech department to ask them to enable the comunication from the Server machine to the Portal machine?

And another question: do I have to share the folders (arcgisserver, arcgisportal, arcgisdatastore) as well?

Thanks for any help providad!

The privatePortalURL can be used to resolve issues where the Server can't reach the portal through the machine URL:

Ex.

https://portal.domain.com:7443/arcgis/sharing/rest

If you have a machine that can help facilitate that communication, install the web adaptor or set up a reverse proxy on that machine and then set the privatePortalURL to that URL so Server can communicate with the Portal through that additional machine. The Portal will communicate with  the Server through the Admin URL, so that's something else to think about. You could just ask your IT staff to resolve the problem, though...

You don't need shared foldres if you aren't creating a multi-machine site or an HA portal.