Latest Contributions by PF1

Well I have made some progress diagnosing the issue. I was able to succesfully log into ArcGIS Server Manasger with one of my windows domain accounts. The domain account that worked is only a part of 4 groups none of which are within nested groups. My account that does not work is in groups that are nested. When I look at how many groups that I am ultimately part of it, is around 130. This leadsme to belive ArcGIS Server has a probelm with nested groups or it has a limit on how many groups a user can be part of. Anyone else having similar issues? I can confirm this issue for us.  We are using Windows user/role store with GIS Server authentication.  My 1 of my AD accounts work just fine (who is an administrator, and in less than 5 AD groups).  One of my other AD accounts is splattered in 15-20 AD groups and is also part of sub-groups.  I was going to use my second account as a publisher to test that functionality.  I added one of my co-workers who is part of many many many AD groups (with sub-groups) and it taks over 5 minutes to do anything through manager We attributed this to the 'publisher role' originally, thinking that is what was slowing it down.  I added his account (and my second account) to the administrators role and it is still awfully slow.  We added the AD service account as a publisher and it runs very fast.  We also changed that account to be an administrator and it also runs very fast!  This account is not part of any AD roles at the moment (and was only added to the 1 role when trying it as a publisher or administrator).  I would agree that there seems to be a major performance issue when traversing a large AD tree where users are in many groups and there are sub-groups involved.  The good news: we found a great fix that we like better so far.  We've now configured the security of the site the following: User Store: Windows Domain Role Store: ArcGIS Server Built-in Auth. Tier: GIS Server Auth. Mode: ArcGIS Tokens So far this seems to have solved our performance issues as both a user consuming the services (anonymous) and as either a publisher or administrator.  This also allows us to control our groups/roles without having to involve the operational IT staff that have control over AD so I think this will work better than having the role store in the windows domain.  I'm wondering if this is also why we experienced slow performance issues when doing web-tier authentication as I've described here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page I might try to re-configure the site to do web-tier authentication, but leave the role store with the ArcGIS Server Built-in. ... View more

Not an easy way, but I received the following from an ESRI tech. Essentially this enables you to create a new site without reinstalling: 1.  Stop the ArcGIS Server Service in Windows Services. 2.  Delete the following files from c:\program files\ArcGIS\Server\Framework\etc : a.  arcgis-logsettings.json config-store-connection.xml b.  machine-config.xml 3.  Rename the c:\arcgisserver\config-store folder  to something like oldconfig-store 4.  Start the ArcGIS Server Service in Windows Services. 5.  Log into Server Manager and choose to "Create New Site" 6.  After you are  back in Server manager, stop the ArcGIS Server Service again. 7.  Copy everything from c:\arcgisserver\oldconfig-store to c:\arcgisserver\config-store  except for c:\arcgisserver\config-store\security. 8.  Leave the new c:\arcgisserver\config-store\security folder alone when you copy the information back. I was given this info, but haven't test it yet. Logically that seems like it would work also.  If I have to dis-able security to get back to a standard install I will try it this way and report back.  Thanks for the feedback! ... View more

OK - last update for a while as I think we are going to try this configuration out.  Seems to be the best solution regarding stability and meeting our requirements: From the standard install (what comes out of the box with no security configured): We have enabled the user/role store to be 'windows domain' We have left the 'GIS Server' for the authentication IIS 'arcgis' virtual directory Settings: Anonymous is enabled & 'Windows Authentication' is disabled Configured a 'administrator' AD group and a 'publisher' AD group.  Performance seems very good.  Accessing the rest page comes up in usually less than 1 second.  There are a few draw-backs which we can deal with for now: Users are not automatically authenticated which means that we cannot track who is using what services (minor deal) Publishers and Administrators are not automatically authenticated.  They need to store their credentials in the arcgis server connection file which could pose issues when their passwords expire (if they want to administer/publish from the ArcGIS Desktop products).  Now just need to test this with configuring the second web-server (w/ web-adaptor) behind the NLB and see if it still performs well... ... View more

Thanks for the reply. I am using the Web Tier Authentication. The User/Role Store is set to Windows Domain. I made the following changes on IIS. I wasn't able to access any service until I made these changes: - Disable Anonymous access to the 'arcgis' virtual directory - Enable Windows Authentication in the 'arcgis' virtual directory - Move 'NTLM' to the top of the list or Providers - Restart IIS I did configure the web adapter after we set up security on the GIS Site. I did this while I was using an ArcGIS role store. After switching to AD I no longer have access to the Web Adaptor. I get a 403 Forbidden Access. It seams like this is happening because the server thinks I am not an Admin anymore. I did allow management through the web adaptor. You will need to re-configure your web-adaptor to recongnize the shared key that you provided when you chose to authenticate at the web-tier.  Can you login to the web-server (where IIS is running) and access this page in a browser: http://localhost/arcgis/webadaptor Rember that the 'Administrator Username' is the Primary administrator user (not the service account that was created on the local box or in your existing AD).  If you've lost the shared key you can re look that up by going to the rest page: http://localhost:6080/arcgis/admin/security/config You will be prompted for credentials and you can use your primary site administrator if you havn't disabled it yet. Hopefully that will help out.  I've spent the past week mucking with different security models and have had very very poor performance when using the 'web tier' for authentication.  See another thread I've started here: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page I would be interested in knowing if you have similar performance issues once you get your web tier authentication working properly.  HTH ... View more

Does anyone know how to disable security in 10.1 and get back to a standard install? see this thread: http://forums.arcgis.com/threads/61813-Intermittent-slow-performance-accessing-rest-page#2 specifically configuration 4.  I also went into the 'roles', 'user-roles', and 'users' folders and cleared all of those contents (after backing them up of course)  😉 ... View more

What is handling the authentication?  Is it set to 'web tier' or 'GIS server'? Did you configure the user/role store for 'Windows Domain' or 'LDAP'? Did you change any authentication paramaters on the IIS->Default Web Site->arcgis (like disabling anonymous and enabling windows authentication) Also - did you configure the web-adaptor after you configured security in the GIS 'site'?  If so did you check the box allowing users to manage the site through the web-adaptor? Some of those answers might help solve your problem. ... View more

Update: After spending 2 full days trying to pin down our performance issues... We found some ways to replicate the issues, but are still working on a solid resolution.. Configuration 1 - Users/roles:Win. domain & Authentication:Web Tier = Horrible Performance We had the site configured like this: http://forums.arcgis.com/threads/61507-Problem-with-10.1-Web-Adaptor#6 Basically security was enabled to have the user/role store in a 'windows domain' and the security authentication was at the 'web tier'. You can see with the IIS logs that performance was horribly bad when accessing the rest home page at http://<web-adaptor_HOSTNAME>/arcgis/rest/services ... it would take 60-120 seconds to render this page and return the directory listing. It would also prompt for a username/password for the first person who accessed the site (and error with a HTTP 401 response - see line 1 from the IIS log below), but then succeed (after 60-120 sec) on subsequent requests (see line 2 in IIS log): #Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2012-07-10 17:33:46 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2012-07-10 17:33:46 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 401 1 2148074254 375 2012-07-10 17:35:25 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 DOMAIN\USERNAME YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 78140 Configuration 2 - Users/roles:Win. domain & Authentication:GIS Tier (Providers... 'Negotiate' at the top) = Horrible Performance re-configuring the security to use 'windows domain' for the user/role store, but having the authentication at the 'GIS SERVER'. We left the 'arcgis' virtual directory in IIS configured to disable anonymous access and enable windows authentication (with NTLM below Negotiate in the 'providers' section) and still saw horrid performance. #Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2012-07-10 17:46:10 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2012-07-10 17:50:34 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 203656 Configuration 3 - Users/roles:Win. domain & Authentication:GIS Tier (Providers... 'NTLM' at the top) = Horrible Performance Same as above (AD for users/roles, but GIS server for authentication) except that we moved NTLM above Negotiate in the 'providers' section and this seems to still have horrible performance: #Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2012-07-10 17:52:51 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2012-07-10 17:57:03 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 99750 2012-07-10 18:01:14 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 92578 Configuration 4 - Users/roles:GIS Server & Authentication:GIS Tier (DEFAULT INSTALL) = GREAT PERFORMANCE About the only way to acheive adaquate performance is to use the defaults out of the box (GIS Server for user/role store and for authentication). The problem is that we would really like to tie in our AD credentials for administration/publishing and be able to track use by users in our orginization as described here: Securing your ArcGIS Server site To get back to defults: Login to IIS and set the 'arcgis' virtual directory to allow anonymous auth. and disable the 'Windows auth.'. Then go to the location of our 'config-store'->security and edit the 'security-config.json' file to look like this: {   "securityEnabled": true,   "authenticationMode": "ARCGIS_TOKEN",   "authenticationTier": "GIS_SERVER",   "userStoreConfig": {     "type": "BUILTIN",     "properties": {}   },   "roleStoreConfig": {     "type": "BUILTIN",     "properties": {}   },   "sslEnabled": false,   "httpEnabled": true,   "virtualDirsSecurityEnabled": false } and then log into arcgis/manager and setting the permissions at the root to be 'public, available to everyone'. Re-config the web-adaptor on the IIS server and the site flys!!! #Software: Microsoft Internet Information Services 7.5 #Version: 1.0 #Date: 2012-07-10 18:42:57 #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2012-07-10 18:42:57 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 734 2012-07-10 18:43:02 xxx.xxx.xxx.xxx GET /arcgis/rest/services/Basemaps_ags/MapServer - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 2562 2012-07-10 18:43:11 xxx.xxx.xxx.xxx GET /arcgis/rest/services/Basemaps_ags/MapServer/export bbox=-158.07694190315246,48.12808111415401,-61.13182215488604,83.76600431210284 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 6187 2012-07-10 18:43:11 xxx.xxx.xxx.xxx GET /arcgis/rest/directories/arcgisoutput/Basemaps_ags_MapServer/_ags_map23a9496fa48b4d8583d9a0d53fec08cf.png - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 31 2012-07-10 18:43:14 xxx.xxx.xxx.xxx GET /arcgis/rest/services - 80 - YYY.YYY.YYY.YYY Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) 200 0 0 328 Any support for getting acceptable performance using the 'web tier' for authentication would be much appreciated. We would rather have our IIS server handle the authentication, but for now will leave it with the GIS server handle the authentication. ... View more

Thank-you! Thank-you!  Thank-you! This worked.  I still couldn't logon with my account after making this change, but I was able to logon with the primary administrator account again.  It looks like when I disable the account it cleared out my administrator role for some reason... I don't know if it was just a freak occurrence or if this is an actual issue, but your tip saved my day! Good to know!  were you able to edit the .json file while the server was running?  If so did you have to restart the ArcGIS Server for that setting to take effect? I've thought about disabling that account also (as reccomended per ESRI), but was worried about what happened if all my admins got locked out for some reason.  At least there is a way to re-store without having to completly re-install! And for clarification: the "disabled" value should be set to 'false' to re-enable it 😉 Regards, Patrick ... View more

Here is what my IIS screen looks like:  [ATTACH=CONFIG]15873[/ATTACH]  Here is the IIS version on my server:  [ATTACH=CONFIG]15874[/ATTACH] Hi Curtis, I am using the web-adaptor with IIS7. You might find these articles useful (for IIS6): How to configure IIS to support both the Kerberos protocol and the NTLM protocol for network authentication Setting NTAuthenticationProviders at an Application level in IIS 6 Just heed the important warnings: Important This article contains information about how to edit the metabase. Before you edit the metabase, verify that you have a backup copy that you can restore if a problem occurs. For information about how to do this, see the "Configuration Backup/Restore" Help topic in Microsoft Management Console (MMC). I'm not sure if enabling NTLM will solve your problem or if it is even required. I just know that it took me 2-3 days to get the web-adaptor with WINDOWS OS user/role and web authentication working properly and I did move the NTLM setting to the top. Best of luck! ... View more

I have followed your steps except for the following: I have the web adaptor installed on the same server as ArcGIS server.  The documentation says this is okay. When I go IIS > Default Web Site > arcgis > Authentication > Windows Authentication, I enabled Windows Authentication but I don't have an option to select 'Providers'.  Under 'Advanced Settings', the 'Enable Kernel-mode authentication' is checked. Hi Curtis, It *should* be ok that the web-adaptor/IIS is on the same server as your GIS server.  If you go to 'IIS > Default Web Site > arcgis > Authentication' and highlight the 'Windows Authentication' item then there should be a 'Providers...' link that you can select in the 'Actions' pane on the right.  Then you should see the 'providers' window pop-up that allows you to move 'NTLM' to the top of the list.  See attached picture with the red box [ATTACH=CONFIG]15872[/ATTACH] ... View more

After a little further research - we did not use that script.  I cannot find the original source, but I attached a copy of the VB form.  Basic Installinstructions (recomended to do this in a dev/test environment before you deploy this to a production system): Download and unzip the attachemt [ATTACH=CONFIG]15829[/ATTACH] Verify that VBA is installed (from my link above in the KB).  You will know if you launch ArcCatalog ->Tools->Macros.  If those are enabled (not greyed out) then you have it installed right.   Navigate to your application data directory for arccatalog.  On my 2003 server that is in "C:\Documents and Settings\USERNAME\Application Data\ESRI\ArcCatalog".  You might need to 'show hidden files/folders' in order to get there Backup your 'Normal.gxt' file (Copy to Normal.gxt.original) Launch ArcCatalog Go to 'Tools->Macros->Visual Basic Editor... From the MS VB editor: go to File->Import File Find the 'frmChangeArcSDEDataSource_v931.frm' that was in the attachment and click open Close the MS VB editor In ArcCatalog: Tools->Customize->Commands Tab Pick [UIControls] in the very bottom and select 'New UIControl...' Pick 'UIButtonControl' and select "Create and Edit".  This opens the VB Editor again Paste this line into the subroutine (between the 'Private Sub ...' and 'End Sub'): Call frmChangeArcSDEDataSource.Show Save and close the VB Editor In ArcCatalog: Tools->Customize->Commands Tab.  Pick [UIControls] in the very bottom.  In the 'Commands' text box: click and drag (do not let go of the mouse) the 'Normal.UIButtonControl1' button and drop it on one of your current toolbars.  You should now see a new button on the toolbar with no text in it.  Basic Use Instructions: Stage your MXD's in a new folder (reccomending backing up your originals) Navigate to your new folder and select the folder in the explorer pane (in ArcCatalog) Click the new button in the toolbar.  This will prompt you for the SDE DB credentials.  Click 'Process MXD's That script should iterate through every MXD in the directory you selected and repoint the vector and raster data sources to a new data source.  Please let me know if you give this a try and need any further support. ... View more

We used this script: http://arcscripts.esri.com/details.asp?dbid=14888 It requres the VBA macro editor: http://support.esri.com/en/knowledgebase/techarticles/detail/17844 We had to make some minor modifications to the script to include database prefix changes.  Give that a try.  You select a folder in ArcCatalog and launch the GUI window.  It asks for DB connection information and iterates through every MXD in the directory and swaps all vector/raster data to the connection information you provide.  We used this for 2.5 years to migrate services from dev->test->prod.  Quit using it when we upgraded to esri v10 software as this had expanded support for the arcpy mapping module that we could use python for accessing layers inside MXD files.  HTH, Patrick ... View more