Select to view content in your preferred language

Why am I getting this error: Failed to validate user credentials for the user... Failed to return user store?

20101
9
06-23-2016 11:36 AM
JaniceBaird
Frequent Contributor

I have ArcGIS for Server 10.3.1 installed on a vm with Windows Server 2012. I am using a Web Adaptor on my web server which is on a different machine. I am using Active Directory for my user store, ArcGIS authentication and roles. This is an intermittent error meaning sometimes my credentials work and sometimes they don't! Here is a screen capture of the error in ArcGIS Server Manager. We do not have HTTPS set-up.

This problem happens when I try to log into ArcGis Server Manager. I enter my credentials and get an error that says my username and password are not correct. I hit the Login button again and get the same thing. I get in after 2 or 3 or more tries but I do get in without reentering my credentials so they are correct. Here is a screen capture of the error:

I also have some secured services that go through a proxy to display for the public website. Sometimes my users are challenged for credentials and sometimes they are not. This process uses a proxy but displays the same error in the log file so I believe it is the same issue. The proxy does not use the Active Directory because I have a local user credentials in the proxy.

I have discussed this with ESRI technical support and the answer is that there is a communication issue between my Active Directory server and my ArcGIS Server. That is just great but I can not find it and I have been looking and my IS folks have been looking!

Has anyone else  run into this issue? Has anyone solved it? Are there any suggestions on how to troubleshoot this?

Thanks,

Janice.

Tags (1)
0 Kudos
9 Replies
RebeccaStrauch__GISP
MVP Emeritus

Janice, I have no answer (I have not seen this issue), but I do have a question for you re: your use of a local account in your proxy, vs a AD account.  I did not know that would work.  Other than using 10.2.2, we have a very similar setup. 

In the proxy.config, which I assume it on the machine with the webadator, , do you then use the  "machinename\user"  or ".\user"  to create the token??

If I get that figured out, I can then test to see if it breaks the Manager login for me.  One thing I do know is, if I go to

     http://localhost:6080/arcgis/manager

it works, but if I go directly to

     http://localhost:6080/arcgis/manager/login.html

it usually doesn't.  That is my only suggestion to check.

0 Kudos
JaniceBaird
Frequent Contributor

Hi Rebecca,

I am using the arcgis server primary site administrator in the proxy.config. This is the only account that I was able to get to work and that was with the help of esri technical support.

Thanks,

Janice.

RebeccaStrauch__GISP
MVP Emeritus

Thanks Janice.  I just confirmed that with tech support also.  That isn't an account I want to use in our proxy config, so I'm back to using my domain service account (with restricted privileges). The proxy stuff can be pretty confusing, but it was time for me to upgrade from version 0.9 

re: your issue, again, I don't know how to solve it....but maybe there is a timeout value in there somewhere that you can increase?  I know for our remote users using the license manager, we have to add a system variable that gives them that extra milisecond that is needed for the AD to connect.  And of course this is NOT what will work....but maybe it will spark a thought as to what/where a timeout might be

just to repeat (for someone just skimming) that is not the timeout setting for server, but for  the Desktop license manager...just as a comparison.

0 Kudos
RebeccaStrauch__GISP
MVP Emeritus

Janice...I followed you so you can send me a direct message.  I have some info I wanted to share with your from tech support.

0 Kudos
JaniceBaird
Frequent Contributor

I sent you a message! Will check back next week!

RebeccaStrauch__GISP
MVP Emeritus

I'll send you some specifics in DM, but here is a summary of some things to check..

Make sure the password for the account you have doing the AD validation for ArcGIS Server has not expired.  I always get  weird results when this happens.  If you can have your network services folks setup a “service account”, that doesn’t continually have to be changed, that helps.    I don’t think and of those validation locations (Windows services, AD validation, token creation) takes anything more than user level access, as long as your service security allows “any logged in domain user”.  (paraphrased)

If all goes well, you should NOT need the “domain\” in front of your user name….at least in 10.2.x

Chris Smith  has a question that might be a good cross-reference to this.   DotNet Proxy - Random login prompts 

0 Kudos
MattPartridge
New Contributor

Hi Janice, I'm having the same problem - same symptoms and everything.  What did you do to correct the issue on your end?

0 Kudos
JaniceBaird
Frequent Contributor

Hi Matt,

No solution! I am still hoping that someone will figure it out sooner or later!

Janice.

0 Kudos
JaniceBaird
Frequent Contributor

Today I have removed the security from my image services and stopped using the proxy... the login dialog has been terrorizing my users for over 3 months with no solution other than not using security this way.

If anyone finds a real solution, please let me know!

Thanks,

Janice.

0 Kudos