Registering server with Portal prior to federation?

CassandraFollett · ‎08-07-2017

Trying to federate server using this guide for 10.5.1:
Federate an ArcGIS Server site with your portal—Portal for ArcGIS (10.5.x) | ArcGIS Enterprise

Running into this issue...

"The server at 'https://[internal machine address]6443/arcgis/admin/security/config/update' returned an error. Failed to update the security configuration. Cannot update security configuration to federate with Portal as server is not registered with Portal. Could not connect to the ArcGIS Server on machine '[Internal machine address]'.The ArcGIS Server service on that machine may not be running or the machine may not be reachable at this time."

I am a bit confused because the current documentation does not mention registering a server with Portal prior to attempting federation. Is there a step or process I am possibly missing?

MichelleSookhun · ‎05-18-2018

Hello Jonathan,

I am running into issues also when trying to federate a HA gisserver site (2 server deployment) to a HA portal.

The HA gisserver site was setup with S1 and S2, these were joined and webadaptors for both giiservers were installed. I have read, that the webadaptors was not necessary in the case of federation, but it has already been installed. Do I need to remove these?

The gisserver urls for service and admin for both gisserver resolves in a browser.

( https://S1.domain.com/arcgis & https://S1.domain.com:6443/arcgis; https://S2.domain.com/arcgis & https://S2.domain.com:6443/arcgis => all resolves in a browser)

Furthermore the HA portal was setup using p1 and p2 and these were joined. w1 and w2 were installed. Context name is portal.

Microsoft Loadbalancer is used to setup LB1. The webcontexturl was set in portaladmin to point to LB1 (https://LB1.domain.com/portal)

The portal home and admin page resolves.

https://LB1.domain.com/portal and https://LB1.domain.com/portal/portaladmin

The requirement is to have the HA gisserver site federated to the HA portal and set this as a hosting server.

These are the steps which were taken:

1. A second loadbalancer (LB2) was setup, using Microsoft LB. (is practically setup just the same as LB1)

2. In portaladmin the PrivatePortalURL was set to point to the second loadbalancer (https://LB2.domain.com:7443/portal

I now need to federate the HA gisserversite, but I need a Service URL and Admin URL to point to where both S1 and S2 are accessible in the event one of these fails.

So I used the following to federate within https://LB1.domain.com/portal/home:

Service URL => https://LB1.domain.com/arcgis

Service Admin URL => https://LB1.domain.com:6443/arcgis

Both of them resolves in a browser, but federation just returns an error stating that https://LB1.domain.com:6443/arcgis is not accessible.

Port# 6443 & 7443 has also been set in Windows firewall as inbound and outbound rule.

What am I missing?

Thanks

Michelle

JonathanQuinn · ‎05-18-2018

Seems like things are set correctly.... the web adaptors for Server aren't necessary unless you want IWA on the Server side as well as the Portal, which is supported at 10.6. If you federate with Portal logging DEBUG logs, do you see any errors?

Can you open this URL:

https://lb1.domain.com/portal/sharing/checkUrl.jsp?url=https://lb1.domain.com/6443/arcgis/admin

That would tell you if Portal can reach the URL you're providing. If it can't, (the response code won't be a 200), then the Portal logs should indicate the problem.

MichelleSookhun · ‎05-18-2018

Jonathan,

I checked the following URL

<https://community.esri.com/external-link.jspa?url=https%3A%2F%2Flb1.domain.com%2Fportal%2Fsharing%2FcheckUrl.jsp%3Furl> https://lb1.domain.com/portal/sharing/checkUrl.jsp?url= <https://community.esri.com/external-link.jspa?url=https%3A%2F%2Flb1.domain.com%2F6443%2Farcgis%2Fadmin> https://lb1.domain.com/6443/arcgis/admin

Here is the result:

cid:image002.png@01D3EEA2.A441BA80

ArcGIS Server, Datastore and Portal service are all started..

Here a snippet from the logs

Michelle

SzymonPiskula1 · ‎05-18-2018

Hi Michelle,

When I look at this quote from your post:

"In portaladmin the PrivatePortalURL was set to point to the second loadbalancer (https://LB2.domain.com:7443/portal"

I actually think it should be https://LB2.domain.com:7443/arcgis

If you load balace traffic over port 7443 then your context is arcgis, not your webadaptor's "portal"

MichelleSookhun · ‎05-18-2018

Hi Szymon/Jonathan,

I changed the PrivatePortalURL to <https://LB2.domain.com:7443/arcgis> https://LB2.domain.com:7443/arcgis.

I restarted portal service.

I tried federating again:

First with <https://LB1.domain.com/arcgis> https://LB1.domain.com/arcgis and <https://LB1.domain.com:6443/arcgis> https://LB1.domain.com:6443/arcgis

Second with <https://LB2.domain.com/arcgis> https://LB2.domain.com/arcgis and <https://LB2.domain.com:6443/arcgis> https://LB2.domain.com:6443/arcgis

Neither ADMIN URL were accessible, when trying to federate.. Getting the same error .., however both resolve in a browser.

I also checked the following URL

<https://community.esri.com/external-link.jspa?url=https%3A%2F%2Flb1.domain.com%2Fportal%2Fsharing%2F...> https://lb1.domain.com/portal/sharing/checkUrl.jsp?url= <https://community.esri.com/external-link.jspa?url=https%3A%2F%2Flb1.domain.com%2F6443%2Farcgis%2Fadm...> https://lb1.domain.com/6443/arcgis/admin

Here is the result:

ArcGIS Server, Datastore and Portal service are all started..

Met Vriendelijke Groet/Kind Regards,

Michelle

SzymonPiskula1 · ‎05-18-2018

Are your SSL certificates OK? Do you get errors/warnings in browser when you examine the URLs? Try IE/FF/Chrome, perhaps one of them will compain?

MichelleSookhun · ‎05-18-2018

Hi Szymon,

We are using SelfSigned cert, since we are working through the setup yet. Does this have an impact on the federation?

I can reach <https://LB1.domain.com:7443/arcgis/sharing/rest> https://LB1.domain.com:7443/arcgis/sharing/rest, however this just resolves in <https://S1.domain.com:7443/arcgis/sharing/rest> https://S1.domain.com:7443/arcgis/sharing/rest in IE/Chrome/FF => opens the gisserver1 page.. Is this normal?

I can also reach <https://LB2.domain.com:7443/arcgis/sharing/rest> https://LB2.domain.com:7443/arcgis/sharing/rest

Federation in IE/Chrome/FF: => all just keep returning the very same error:

First with <https://LB1.domain.com/arcgis> https://LB1.domain.com/arcgis and <https://LB1.domain.com:6443/arcgis> https://LB1.domain.com:6443/arcgis

Second with <https://LB2.domain.com/arcgis> https://LB2.domain.com/arcgis and <https://LB2.domain.com:6443/arcgis> https://LB2.domain.com:6443/arcgis

Here a snippet from the logs generated:

I’m not sure what else I am missing..

Michelle

SzymonPiskula1 · ‎05-18-2018

Looking more i think you got your LBs mixed up:

Once your write that LB1 is for Portal:"https://LB1.domain.com/portal and https://LB1.domain.com/portal/portaladmin"

Then i can see this:"Both of them resolves in a browser, but federation just returns an error stating that https://LB1.domain.com:6443/arcgis is not accessible" <-- 6443 is Server!!!!

Then for LB2:

Once you state its for Portal:

" A second loadbalancer (LB2) was setup, using Microsoft LB. (is practically setup just the same as LB1)"

Then you mention it in context of Server (port 6443 is Server !)

"Second with <https://LB2.domain.com/arcgis> https://LB2.domain.com/arcgis and <https://LB2.domain.com:6443/arcgis> https://LB2.domain.com:6443/arcgis "

You must make sure that LBs are used in right order and purpose.

Make sure LB1 is pointing at your S1 and S2

Make sure LB2 is pointing at P1 and P2

Then privatePortalUrl is https://LB2.domain.com:7443/arcgis

And for federation use

Service URL => https://LB1.domain.com/arcgis

Service Admin URL => https://LB1.domain.com:6443/arcgis

Remember: when you see 7443 think Portal, 6443 think Server

Also if you see a port (7443 or 6443) in a URL then context is always /arcgis , ignore whatever webadaptor name as going via port ALWAYS SKIPS webadadptor and takes you directly to the service

MichelleSookhun · ‎05-18-2018

Hi Szymon,

Ok, just to recap in order for me to have a clear understanding

I used the steps from

https://enterprise.arcgis.com/en/portal/10.5/administer/windows/configuring-a-highly-available-portal.htm

At Step 5 => The first Loadbalancer was mentioned.

Windows Loadbalancer was used to first configure LB1 (gisportal).

This is <https://gisportal.domain.com> https://gisportal.domain.com

I set the webcontexturl to <https://gisportal.domain.com> https://gisportal.domain.com/portal

We then intended to share https://gisportal/portal/home . This works fine.

Now at Step 8 an Internal Loadbalancer was needed to set the PrivatePortalURL

This was created the same way like LB1 using Windows Load Balancer software.

This became <https://portalcls.domain.com> https://portalcls.domain.com

In portaladmin I set the PrivatePortalURL to <https://portalcls.domain.com:7443/arcgis> https://portalcls.domain.com:7443/arcgis (using arcgis instead of portal as you had suggested)

All of these URLS resolve in a browser

Now when I tried federation =>

Service URL => https://LB1.domain.com/arcgis (https://gisportal.domain.com/arcgis)

Service Admin URL => https://LB1.domain.com:6443/arcgis ( <https://gisportal.domain.com:6443/arcgis> https://gisportal.domain.com:6443/arcgis)

cid:image004.png@01D3EEB3.96959B20

It just returns that its not accessible…

JonathanQuinn · ‎05-18-2018

As long as the checkUrl request to your admin URL fails, (returns -1 for the status), you won't be able to federate. Sign onto the Portal machines as the user running the Portal service account and try to get to the admin URL as that user. It may be proxy related, or certificate related if the certificate is mismatched. Check the logs in Portal. You can use the same services URL as the admin URL if you want, there's no issue in doing so.