WAB Token Expiration

771
11
03-21-2019 01:05 PM
BrianLeroux
Regular Contributor

Hi All-

I have a new Portal configure d and I am trying to get my first WAB app working properly. It seems that when I open the app it requests a token but only gets a 30 minute token. Once that expires the secured layer in my map stop functioning and no request for an updated token is ever requested. I then have to refresh the map every 30 minutes to keep things functioning. System cofig below. Let me know if anyone has any ideas.

ArcGIS Enterprise 10.6.1 with Portal federated. 

Secured with Windows Auth Web authenrtication

Shortterm token set to 7,200 minutes (5 days)

Long term tokens set for 7 days

Thanks,

Tags (1)
0 Kudos
11 Replies
BrianWilson3
New Contributor III

I logged this bug over a year ago with 10.6.  I now have the same setup as you, 10.6.1, federated AGS, IWA and still see the issue on 10.6.1.  I haven't tried 10.7 yet but would bet money the bug is in there as well.  #BUG-000112228 if you would like to see it.  Hopefully ESRI will figure this bug out as its making my Portal WAB maps unusable.

0 Kudos
BrianLeroux
Regular Contributor

I got word that this is fixed is 10.7 which should be released early July.

0 Kudos
BrianWilson3
New Contributor III

10.7 has been released. Is this in a later release? Also, thanks for letting me know, this thing is killing me.

0 Kudos
BrianLeroux
Regular Contributor

I didn't realize 10.7 was available already. The wording I was sent was a bit confusing. I need to get further clarification.

"...the issue has been resolved and addressed in ArcGIS Enterprise 10.7 and ArcGIS Online. That being said – you wouldn’t notice the fix until you upgraded and once they roll out 10.7 unless we submit a hot fix request through Support – I believe the next roll out is just before User Conference in July..."

0 Kudos
BrianWilson3
New Contributor III

Strange, sounds like maybe they won’t roll out a hot fix until July. I plan to upgrade our Portal to 10.7 as soon as I can get our SQL box upgrade to 2014 SP3 (currently on 2014 sp2). At that point I can let you know if its fix.

BrianLeroux
Regular Contributor

Well bad news. Upgrading to 10.7 and token being issued is still stuck at 30 minutes despite changing the settings. Trying to contact support again to take another look. Will also be looking to see if switching to ADFS will help. 

0 Kudos
BrianWilson3
New Contributor III

That's a bummer, been an issue since 10.5. Surely they can patch this?

Sent from my Verizon, Samsung Galaxy smartphone

0 Kudos
BrianWilson3
New Contributor III

Just a heads up for everyone experiencing this issue that it does appear to be at least partially fixed.  After complaining to support that it was not fixed in 10.7 or 10.7.1 and doing some troubling shooting we found what appears to be a promising result.  If you upgraded from 10.5,10.6,10.6.1 to 10.7,10.7.1 the 30 timeout is still hidden in the background somewhere.  To fix this i simply had to open up the token settings in AGS and update, save to reapply them.  After than i'm seeing tokens last longer than 30 minutes.  

Issue 2 i'm dealing with an have a bug logged for is the OpsDashboard timing out after 30 minutes.  It appears the tokens for that are still expiring at the 30 minute mark causing the OpsDashboard to prompt for sign ins for each data source even though IWA and SSO are enabled.  

0 Kudos
BrianFausel
Occasional Contributor III

Here is our experience with this problem:


Software Environment

  • ArcGIS Enterprise 10.7.1 Portal + Server federated (fresh install, not upgrade)
  • Single machine install
  • Integrated Windows Authentication (IWA) enabled, Windows Server 2016


Timeout happens when we use the Portal for ArcGIS Operations Dashboard or Web AppBuilder. Initial load is successful without user prompt via IWA. Thereafter, every 30 minutes users are prompted to "Sign In," which they often have to click multiple times then it eventually goes away. Alternatively they can refresh the browser.


Originally we were attached to #BUG-000124152: "Server tokens generated by Portal for ArcGIS does not respect the ArcGIS Server’s token expiration settings if Portal for ArcGIS is configured with Integrated Windows Authentication (IWA)." This bug was recently marked "Not in Current Product Plan" and referred us to a separate bug.


Now we are attached to the other #BUG-000127276: "When accessing a secured service from a federated server through Map Viewer or Web AppBuilder for ArcGIS in Portal for ArcGIS 10.6.1 using Integrated Windows Authentication (IWA), the service token fails to regenerate automatically and causes the service to become blank when the token expires." But this bug is logged as "Implemented in 10.7," which in our case it does not seem to be fixed in our 10.7.1 environment.


I did try changing the token setting in ArcGIS Server Manager and that did not work for us either.

 

Sidenote - If we use ArcGIS Online Operations Dashboard or Web AppBuilder with our IWA-secured Enterprise map services we do not see the timeout.

BTW: I guess this is a "Brian" issue

0 Kudos