GEP 10.2.1 Datastore - Cannot register AGS w/ Windows AD & non-public services

14600
15
01-16-2014 10:01 AM
DennisGeasan
Occasional Contributor II
This is related to an earlier thread where I cannot register an ArcGIS server data store. 

The ArcGIS Server data store I'm trying to register is configured as follows:
Machine: Windows Server 2008 R2
ArcGIS Server: 10.2.1
AGS Security: Windows for Users and Roles with the 'Web' (Web Adapter) used for the Authentication Tier and Mode;
Map Services Permissions:  Root level - set to 'Private'.

With the above configuration on the AGS machine I cannot register it in 10.2.1 GEP.  If I change the root level permissions on the AGS machine to 'Public' then I can register it in GEP.  If I set the root level to 'Private' and then change the permissions on a folder to public, then I CAN register the AGS machine in GEP

It is required at this site that all map service permissions be private.  How do I accomplish that with the new version of GEP? I tried defining tokens but that doesn't work.

Dennis Geasan
0 Kudos
15 Replies
RJSunderman
Esri Regular Contributor

So why is it that the geoevent Extension stops after 4-6 hours?

There was an issue we observed, primarily with updating feature services hosted via ArcGIS Online in the 10.3 release. A few users also observed the issue using local feature services they had published to their on-premises Server. The symptom was that GeoEvent would appear to be receiving and processing data (its event counters would increment), but updates to features through a feature service would stop after a variable length of time. We usually found messages in the karaf.log with the text Error: null response or Error Posting to URL ... java.io.IOException: null respons when this specific issue would manifest. The issue was addressed with the 10.3 Patch 1 for GeoEvent, available here from Esri Support.

I am not sure if the issue was actually present in earlier releases (10.2.x).  In any case, I'd encourage you to upgrade to the 10.3.1 release which should be publicly available in just a couple of weeks (13-May 2015). The focus for 10.3.1 was on improving the product's stability, however, we did complete a product enhancement with regard to registering an ArcGIS Server connection as a GeoEvent Data Store. You can now specify whether you want to use a token for authentication or if you want to use web-tier authentication and provide a username / password when registering a GeoEvent Data Store. This is new at the 10.3.1 release.

If we connect to server 2 with the directy URL then we the error below: properly due a certificate error.

  Invalid URL: Please provide a valid url for example: http://<hostname>:<port>/arcgis

There were enhancements in the area of security certificates introduced in both the 10.3 and 10.3.1 releases. GeoEvent should trust the ArcGIS Server certificate presented by the local server on which it was installed at the 10.3 release (rather than relying on a GeoEvent self-signed certificate). With the 10.3.1 release GeoEvent will also trust any SSL certificates you have imported using the ArcGIS Server Administrator Directory.

After you've upgraded to the latest release, if you find that, after working for a period of time, feature updates stop working, you see log messages you believe are security or SSL certificate related, or need advice on configuring your enterprise's reverse proxy or web-tier authentication ... please go ahead and open new GeoNet discussion threads for the separate issues. Questions on enterprise system architecture and security configuration I will probably have to refer to Esri Tech Support. I'm better positioned to offer advice on questions concerning GeoEvent product functionality.

Best Regards -

RJ

0 Kudos
AndreasEspersen
New Contributor III

Hi RJ,

Thanks for your feedback.

We found a workaround that has been running for almost a week now.

Making a change in the host file on the GEP server  we are now accessing the local server with the FS directly and not via the web adaptor.

In this way we avoid the bad URL and can run with security. It is not an optimal solution for us but we can wait for 10.3.1.

Thanks

Andreas

0 Kudos
ThomasColson
MVP Frequent Contributor

Given that a large chunk of users of ArcGIS Server and GEP are being required to move to Windows AD and PKI Smart Card Auth (nothing else is allowed, period, non-negotiable, if the software doesn't take a smart card, it's getting uninstalled).......I'm wondering when ESRI plans to address the authentication issues that its customers are forced to work with.

0 Kudos
KDeVogelaere
Occasional Contributor

I have run into a similar issue in GeoEvent Processor 10.2.2,

Machine: Windows Server 2008 R2

ArcGIS Server: 10.2.2

AGS Security: Windows for Users and Roles with the 'Web' (Web Adapter) used for the Authentication Tier and Mode

Map Services Permissions:  Folder level - set to 'Private'.

Our DataStore connections to secured ArcGIS Servers have a 365 token expiration and often several days after registering the connection it will show 'Invalid Token' and the services are in 'Error' state. I am unsure what is triggering the issue, but we've resolved this by editing the Datastore connection and re-entering the same token ID, saving the edit, and clicking 'Validate All'.

Invalid Token java.lang.Exception: Invalid Token at com.esri.ges.datastore.agsconnection.DefaultArcGISServerConnection.defaultValidate(DefaultArcGISServerConnection.java:571)[226:com.esri.ges.framework.datastore.agsconnection-datastore:10.2.2] at com.esri.ges.datastore.agsconnection.DefaultArcGISServerConnection.validate(DefaultArcGISServerConnection.java:589)[226:com.esri.ges.framework.datastore.agsconnection-datastore:10.2.2] at com.esri.ges.datastore.agsconnection.DefaultArcGISServerConnection.isUseable(DefaultArcGISServerConnection.java:2376)[226:com.esri.ges.framework.datastore.agsconnection-datastore:10.2.2] at com.esri.ges.transport.featureService.FeatureServiceInboundTransport.isArcGISConnectionConfigurationValid(FeatureServiceInboundTransport.java:401)[251:com.esri.ges.framework.transport.featureservice-transport:10.2.2] at com.esri.ges.transport.featureService.FeatureServiceInboundTransport.onArcGISServerConnectionStatusChange(FeatureServiceInboundTransport.java:422)[251:com.esri.ges.framework.transport.featureservice-transport:10.2.2] at com.esri.ges.manager.datastore.agsconnection.internal.ArcGISServerConnectionManagerImpl$1.run(ArcGISServerConnectionManagerImpl.java:236)[318:com.esri.ges.manager.internal-agsconnectionmanager:10.2.2] at java.lang.Thread.run(Unknown Source)[:1.7.0_51]

0 Kudos
JavierDelgadillo
Esri Contributor

K DeVogelaere,

If you're regularly having to update tokens because they're expiring, you may consider introducing the GeoEvent Datastore Proxy into your environment.  It's a Java WebApplication designed to act as the endpoint GeoEvent communicates with, but is responsible for updating tokens when connecting to a system that requires username/password for authentication to either the WebTier or GIS Tier.

You can view the project here Esri/geoevent-datastore-proxy · GitHub and download the first release here Release Initial Release of GeoEvent DataStore Proxy · Esri/geoevent-datastore-proxy · GitHub .

If the proxy looks like something you'd be interested in, you could submit a Tech Support incident if you need some help configuring the proxy for your environment.

-Javier

0 Kudos
KDeVogelaere
Occasional Contributor

Thank you Javier for sharing this info, when you say GeoEvent Datastore Proxy is responsible for updating tokens do you mean re-generating new tokens for external ArcGIS Servers?  Or bouncing the keep-alive tokens stored within GeoEvent Processor?

I am not convinced the tokens are expiring, using the same token as entered previously to register the ArcGIS Server is still allowing a connection and showing a valid token has been entered. Our Operations team regularly runs security patching on this server about once a month taking a full reboot after the patching is complete.  Sorry I do not have enough details to determine the cause of the 'Invalid Token' message at this time.

0 Kudos