Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Cancel
- Home
- :
- About RandallWilliams
RandallWilliams
Esri Regular Contributor
since
07-04-2014
a month ago
1163
Posts created
74
Kudos given
71
Solutions
808
Kudos received
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
My Ideas
(0 Idea Submissions)Latest Contributions by RandallWilliams
|
POST
|
To be clear, there are a few issues in play: We released a series of patches for ArcGIS Enterprise Sites to address a few cross site scripting issues. While the patches fixed those issues, on Windows hosts, it introduced an issue that could result in system availability challenges if additional patches or upgrades were subsequently installed. This is what prompted us to pull that patch, and it took some time to develop a fix. This is an unprecedented issue for us, and required a major engineering effort to us to release the tool that fixes this problem. At the same time, we needed to produce a new patch for ArcGIS Enterprise Sites that wouldn't introduce this issue.
... View more
12-14-2023
01:23 PM
|
0
|
0
|
3643
|
|
POST
|
Hi James, Hi Ryan, The ArcGIS Enterprise 11.1 version of this patch AND the required ArcGIS Validation and Repair tool are available. We describe the defect the original Portal for ArcGIS Enterprise Sites Security Patch introduced and also provide the download location here: https://support.esri.com/en-us/patches-updates/2023/defective-arcgis-enterprise-patch We recently updated our Portal for ArcGIS Validation and Repair tool page here: https://support.esri.com/en-us/patches-updates/2023/portal-for-arcgis-validation-and-repair We also recently updated our security advisory , which found under the Advisories section of the ArcGIS Trust Center. The specific CVEs addressed in the are documented in the advisory. Linux users are unaffected by the issues introduced by the flawed patch. Users who have not yet installed the Portal for ArcGIS Enterprise Sites Security Patch can immediately remediate the security issues that this patch resolves with an upgrade to 11.2. All of the issues that the Portal for ArcGIS Enterprise Sites Security Patch addresses require the ability for a malicious user to manage an ArcGIS Enterprise Site. Mitigation options include temporarily revoking user memberships from the Sites Core Group.
... View more
12-14-2023
09:53 AM
|
4
|
5
|
3701
|
|
BLOG
|
The Case: Our team was recently asked to assist with troubleshooting an odd set of failures when adding data hosted on ArcGIS Online to ArcGIS Pro. When adding ArcGIS Online hosted feature services to the ArcGIS Pro project, the customer received error 499: Invalid token. They were already signed into ArcGIS Online, so it didn't seem like there was an issue with the token. Pro was functioning correctly on every other host in this organization. Odd that this issue would be localized to one machine. This mystery problem was blocking acceptance of a migration, as this particular host was leveraged with some additional integrations and customizations, and the host was purchased explicitly for its designated workflow. Symptoms: ArcGIS Pro was slow to load Adding hosted feature services to a new ArcGIS Pro project failed with error "Authentication Token required (status code 499) Running previously successful scripting/geoprocessing tasks failed with ERROR 160228, "The user does not have permission to execute the operation. The customer was logged into ArcGIS Online successfully, so unless something upstream was somehow mangling an authorization token, it seemed that there was something else in play. Given the error, we needed to check to see if ArcGIS Pro was having an issue accessing an OAuth resource or perhaps some generateToken call was failing. To do that, we broke out Fiddler4. While using Fiddler to monitor the web traffic between ArcGIS Pro and ArcGIS Online while adding content, we immediately noticed that none of the CRL/OSCP links were accessible - the error was HTTP 502 (bad gateway). So what's OCSP and what's a CRL anyway? OCSP is the Online Certificate Status Protocol. It's an alternative to CRL (Certificate Revocation Link). OCSP and CRL are two of the most common ways web browsers use to check if a site’s certificate has been revoked. A CRL is a list containing serial numbers of all certificates that have been revoked by a Certificate Authority. OCSP is a protocol used to discover the revocation status of a certificate and contains signatures that assert a certificate has not been revoked. This makes it a more effective and efficient validation process, as unlike CRL it does not require a list to be downloaded to discover the status of a certificate. Why did this matter? An HTTP 502 (bad gateway) blocking these URLs is suspect. OCSP and CRL links are expected to be accessible via plaintext HTTP. After all, if a certificate is compromised, how do you validate the status of the certificate using HTTPS? The Windows crypto API won't even try to connect to a CRL or OCSP link over HTTPS. So why were these resources blocked? The answer was simple - the customer had included this host in a firewall policy that blocked all outbound plaintext HTTP - including CRL and OCSP. Organizations sometimes misinterpret PCI/DSS compliance controls to mean communication using plaintext is prohibited, but that's not the case. 1.2.1 - Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic. 1.3.4 - Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet. As long as there is a legitimate reason for this traffic (which there is - OCSP and CRL are served over plaintext), and it is limited to the specific systems and external addresses that are required (CRL and OCSP should always be on allow lists - don't miss this during your firewall log reviews) then there is no issue with sending traffic to a plaintext resource. It seems like ArcGIS Pro didn't handle blocked connections to OCSP and CRL links well and threw a misleading error message when it could not get past the failed certificate revocation checks. Resolution: The customer's firewall team created and documented exceptions to allow outbound connections to: http://s.ss2.us/r.crl http://ocsp.rootg2.amazontrust.com/* http://crl.rootg2.amazontrust.com/rootg2.crl http://crl3.digicert.com/DigiCertGlobalRootG2.crl http://crl.rootca1.amazontrust.com/rootca1.crl http://ocsp.digicert.com/* For good measure, they also added http://ctldl.windowsupdate.com to the allow list, since that's the resource Windows uses to check for Windows updates, including to update it's own list of root CA certs. Meanwhile, we're working with support to improve our doc and error messaging/handling to make this a little more obvious, as we expect more and more users to run into this situation as they implement ZTA patterns. References: https://community.isc2.org/t5/Tech-Talk/PCI-and-revocation-checking-for-public-trusted-certificates/td-p/31830
... View more
12-11-2023
02:50 PM
|
4
|
0
|
1604
|
|
BLOG
|
No worries, here's the link: https://trust.arcgis.com/en/customer-documents/ArcGIS_Enterprise_AV_Guidance.pdf
... View more
11-20-2023
08:35 AM
|
4
|
0
|
11627
|
|
BLOG
|
There is an updated version in the customer exclusive documents repository in the ArcGIS Trust Center. https://trust.arcgis.com/en/customer-documents/
... View more
11-20-2023
06:03 AM
|
3
|
0
|
11688
|
|
POST
|
Esri's current statement regarding LibWebP is: Esri utilizes the LibWebP library in a number of products, however they have not been demonstrated as exploitable at this time. Out of an abundance of caution, all products utilizing the LibWebP component will be updated as part of the next product release. Patches for older versions will be considered for products where there is additional risk identified.
... View more
10-17-2023
08:39 AM
|
4
|
0
|
2955
|
|
POST
|
Esri is aware of CVE-2023-4863, which has recently seen broad media attention due to the impact to the commonly leveraged image library libwebp. We are also tracking CVE-2023-5217, which has not attracted as much media attention. The libwebp library is used to process images created in the webp image format. CVE-2023-4863 is known to have been exploited in the wild by an attacker tricking a victim into opening an HTML page that contains a specifically crafted webp image, triggering a buffer overflow. CVE-2023-5217 is a similar issue, found in libvpx. The libpvx library is used to process videos created with the VPX codec. CVE-2023-5217 is also known to have been exploited in the wild. We are investigating the impact of these vulnerabilities in these 3rd party components in our software. We encourage you to subscribe to the RSS feed on the ArcGIS Trust Center for the latest as it becomes available.
... View more
10-02-2023
01:43 PM
|
8
|
0
|
3632
|
|
POST
|
Web server logs will be the best way to collect this information.
... View more
08-30-2023
06:05 AM
|
0
|
1
|
3339
|
|
BLOG
|
OOPS, I'm forever tranposing the vuln scan guidnce and the AV guidance and the link is indeed broken. I'll work with our doc team to get this fixed.
... View more
08-28-2023
11:00 AM
|
1
|
0
|
12311
|
|
POST
|
Agree on the "too many layers" point. those should be split into different services with themes. Nobody's going to view all 100 of those layers at a time. I believe that this may be the answer to your question though: https://enterprise.arcgis.com/en/server/10.6/publish-services/windows/map-authoring-considerations.htm#ESRI_SECTION1_4C54586DEB0445B4B97AF15856E546AB
... View more
08-28-2023
08:04 AM
|
1
|
0
|
1979
|
|
POST
|
Looks like your front end web server may only support HTTP/2, where Workflow Manager likely requires HTTP/1.1. - or potentially vice-versa. Because the front end is sending in a format than the back-end server expects, an error is thrown.
... View more
08-28-2023
08:01 AM
|
0
|
1
|
3495
|
|
BLOG
|
Link changed w/ version 3.1: https://trust.arcgis.com/en/customer-documents/ArcGIS_Vulnerability_Scanning_Guidance_v31.pdf Check out the other resources in the customer exclusive area of the ArcGIS Trust Center. You may also find the WAF guide helpful.
... View more
08-28-2023
07:50 AM
|
0
|
0
|
12338
|
|
BLOG
|
@CarlosBarahona Yes. We recently implemented the webAuthN API and are working on the design to allow admins to require MFA for built-in accounts. WebAuthN was a prerequisite. This feature should be implemented in the near future.
... View more
08-07-2023
08:07 AM
|
1
|
0
|
3813
|
|
POST
|
In a future release, we'll be offering a headless token approach that should ease some of this challenge. That will allow for mandatory MFA for user accounts along with the ability to use "service accounts". ArcGIS Enterprise now supports gMSA out of the box.
... View more
08-07-2023
06:54 AM
|
2
|
0
|
2237
|
|
POST
|
Sorry about that, I could have sworn they were archives, not binary files. You can explode the cache using desktop or a tool like https://mapproxy.org/docs/1.13.0/mapproxy_util.html#export
... View more
07-28-2023
10:38 AM
|
0
|
0
|
1579
|
My kudoed posts
| Title | Kudos | Posted |
|---|---|---|
| 1 | 03-05-2026 06:49 AM | |
| 1 | 02-19-2026 07:09 AM | |
| 2 | 02-17-2026 02:27 PM | |
| 3 | 11-17-2025 07:06 AM | |
| 1 | 05-24-2018 07:28 AM |
Activity Feed
- Got a Kudo for Re: Update ARCGIS ANTIVIRUS GUIDANCE document. 03-05-2026 09:33 AM
- Posted Re: Update ARCGIS ANTIVIRUS GUIDANCE document on Esri Software Security & Privacy Questions. 03-05-2026 06:49 AM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 02-23-2026 10:30 AM
- Got a Kudo for Re: Update ARCGIS ANTIVIRUS GUIDANCE document. 02-20-2026 12:18 AM
- Posted Re: Update ARCGIS ANTIVIRUS GUIDANCE document on Esri Software Security & Privacy Questions. 02-19-2026 07:09 AM
- Posted Re: Update ARCGIS ANTIVIRUS GUIDANCE document on Esri Software Security & Privacy Questions. 02-19-2026 06:33 AM
- Got a Kudo for Re: Best method to change IAA and PSA passwords. 02-18-2026 06:12 AM
- Got a Kudo for Re: Best method to change IAA and PSA passwords. 02-18-2026 03:27 AM
- Posted Re: Best method to change IAA and PSA passwords on ArcGIS Enterprise Questions. 02-17-2026 02:27 PM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 11-25-2025 06:42 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-19-2025 02:52 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-19-2025 02:52 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-17-2025 07:13 AM
- Got a Kudo for Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro. 11-17-2025 07:09 AM
- Posted Re: Apache Parquet < 1.15.1 Remote Code Execution (CVE-2025-30065) in ArcGIS Pro on ArcGIS Pro Questions. 11-17-2025 07:06 AM
- Got a Kudo for Re: Data Privacy using Arc Gis Python API. 10-29-2025 07:34 AM
- Got a Kudo for Re: ArcSOCs Exceed Max Instance Setting. 10-22-2025 02:17 PM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 10-20-2025 07:25 AM
- Got a Kudo for New Technical Paper: Considerations for configuring antivirus software for ArcGIS Enterprise hosts. 09-16-2025 12:59 PM
- Got a Kudo for Re: Unable to Open PDF in AGOL only Download- New as of Feb 29, 2024. 06-06-2025 01:08 PM
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
a month ago
|