Configuring two web adaptors to use the same token

JasonKnisley · ‎12-17-2012

I am in the process of setting up an environment where there will be two web adaptors behind a load balancer to serve a high-availability site. The configuration looks something like this:

[ATTACH=CONFIG]20023[/ATTACH]

Essentially, two physically separate ArcGIS Server sites are mirrored and attached with a NLB on the front end. Each site serves the same secured services and are configured to use the same shared key for token generation. In this scenario, ideally when the client logs in (authenticating against the built-in store) a token will be generated which will be recognized by both server sites.

Is this possible? If so, what needs to be done for this to happen? I know we can adjust the affinity settings on the NLB to prevent requests from the same client from being distributed across the two sites, but the goal is complete failover.

Thanks.

RichardWatson · ‎12-18-2012

I believe that the answer depends on how you generate the tokens, i.e. what options are passed to the token generation endpoint.

One of the elements of the token is who can use it.

Let's say that client A generates a token
Client B sniffs the network and gets the token
Can client B use it?

ESRI tries to prevent this by encoding within the token which clients can use it. Frankly, it is not very secure because all of the information in an HTTP request can easily be spoofed but it does stop trivial abuse cases.

larryzhang · ‎01-01-2013

I am in the process of setting up an environment where there will be two web adaptors behind a load balancer to serve a high-availability site. The configuration looks something like this:

[ATTACH=CONFIG]20023[/ATTACH]

Essentially, two physically separate ArcGIS Server sites are mirrored and attached with a NLB on the front end. Each site serves the same secured services and are configured to use the same shared key for token generation. In this scenario, ideally when the client logs in (authenticating against the built-in store) a token will be generated which will be recognized by both server sites.

Is this possible? If so, what needs to be done for this to happen? I know we can adjust the affinity settings on the NLB to prevent requests from the same client from being distributed across the two sites, but the goal is complete failover.

Thanks.

Happy New Year, Team,

We need your assistance on the following scenario:

We are taking action to migrate an existing �??Failover�?? system of ArcGIS Server 10.0 (SP5), which was constructed with two machine nodes (one is Active, another Passive) and managed by Windows Server 2008, into �??Failover�?? ArcGIS Server 10.1 (SP1).

As first step, all installation and configuration at the �??Passive�?? node look fine. All services can be accessed via this host IP address.

However, when we try to manage this �??ArcGIS Server 10.1�?? as EMP Cluster resource via �??EMP Cluster Group�?? manager in order to be accessible through the �??virtual�?? IP address at the Cluster, it failed. The error message show below:
[INDENT]Service: ArcGIS Server (ArcGIS Server)
Resource: Generic Service
Parameters: Files\ArcGIS\Server\framework\etc\service\bin\ArcGISServer.exe
Started 1/2/2013 8:13:57 AM
Completed 1/2/2013 8:13:58 AM

Creating the Generic Service resource.
Do not use network name as computer name.
An error occurred while creating the resource Generic Service.
An error occurred while configuring the Generic Service resource.
Unable to save property changes for 'ArcGIS Server'.
The specified service does not exist as an installed service

[/INDENT]
It seems that ArcGIS Server 10.1 wouldn�??t support �??Failover�?? infrastructure anymore. If so, we have to restore ArcGIS Server 10.0 back. Isn�??t it correct?

Any advices to proceed with 10.1?

EyadHammad · ‎04-27-2013

Good day,

did any of you guys reach to a solution how to configure ArcGIS Server 10.1 for failover environment ?

shafitrumboo · ‎01-20-2014

I am in the process of setting up an environment where there will be two web adaptors behind a load balancer to serve a high-availability site. The configuration looks something like this:

[ATTACH=CONFIG]20023[/ATTACH]

Essentially, two physically separate ArcGIS Server sites are mirrored and attached with a NLB on the front end. Each site serves the same secured services and are configured to use the same shared key for token generation. In this scenario, ideally when the client logs in (authenticating against the built-in store) a token will be generated which will be recognized by both server sites.

Is this possible? If so, what needs to be done for this to happen? I know we can adjust the affinity settings on the NLB to prevent requests from the same client from being distributed across the two sites, but the goal is complete failover.

Thanks.

We are having same environment did you got a solution to this issue and please can you look to this thread also
http://forums.arcgis.com/threads/100232-Network-Load-balancer-in-ArcGIS-Server-10.2?highlight=Networ...