Disable the enabled security for GIS Services

NancyGnanicys · ‎10-04-2012

I realized that after enabling security for GIS services I am now required to enter in my windows log in and password to access the REST services page and even a bigger issue is that flex viewer can not see the rest services at all. I have given myself permission and access rights to all services but still no luck. So after careful consideration I decided to revert back to no security. I followed these steps below. In addition, to that I have applied Service pack5 to ALL products at 10.0 and have ran post install and restarted the machine twice. Once after implementing the changes in the steps below and then once again after the service pack. I have restarted SOC and SOM a couple times in between the changes as well, still no luck in seeing my rest services. I just want things to be the way there were before I locked down the rest service directory. Any ideas?

"Disabling security for services
Once you enable security for GIS services, you cannot use Manager to disable security. This is to prevent accidental disabling of security and compromise of access to your services. If you decide later that you must disable security, you can do so with the following steps.

Warning: If you perform these steps, any user will be able to connect to any GIS service using an Internet connection without providing any login.

1.Use a text editor (such as Notepad) or XML editor to open the file Server.dat on your server object manager (SOM) machine. This file is located in your ArcGIS Server installation at <ArcGIS Install Location>\server\system.
2.Change the following element, located inside the <Server> element, from
<SecurityEnabled>true</SecurityEnabled>
to
<SecurityEnabled>false</SecurityEnabled>
Then save the file.
3.Use a text or XML editor to open the file web.config in C:\Inetpub\wwwroot\ArcGIS\Services (adjust the path if you installed the ArcGIS Web services to a different location).
4.Locate the following line withing the <appSettings> section:
<add key="RequireToken" value="True" />
and change it to:
<add key="RequireToken" value="False" />
Then save the file.
5.Repeat the previous two steps for the web.config files in the Rest folder and also the Tokens folder in the C:\Inetpub\wwwroot\ArcGIS directory.
6.If security was configured for Windows users, then re-enable anonymous access to the Services and Rest folders in the ArcGIS Server Web instance in IIS. Refer to the instructions in the section on Disabling anonymous access to ArcGIS Web services in Internet Information Services, except in step 3 of the instructions, choose to enable anonymous access. Do this for both Services and Rest directories.
7.Restart the ArcGIS Server Object Manager service and the World Web Web Publishing Service. "

nicogis · ‎10-05-2012

do you see error when you see service directory in browser?
Have you file .sec in directory <ArcGIS Install>\server\user\cfg (http://webhelp.esri.com/arcgisserver/9.3/java/cfg_file_security.htm)?

NancyGnanicys · ‎10-05-2012

I do not have an .sec file, they are all .cfg however in permissions I have set multiple role as allowed so I'm not sure why there isn't one. [ATTACH=CONFIG]18221[/ATTACH]

"do you see error when you see service directory in browser?"
Actually I am able to see the rest services directory when I go to the url for it upon putting in my credentials. Although I am able to see the rest services I am unable to consume them in arcgis online or flex viewer or anything REST url related so I need to revert back. I have two folders I'm using to test on organized as 'secure' and 'open' and have different permissions on them but it doesn't seem to make any difference on accessibility. Very stumped.

nicogis · ‎10-05-2012

"...Actually I am able to see the rest services directory when I go to the url for it upon putting in my credentials..."
you have this behaviour because you have windows authentication enabled security set in iis.

NancyGnanicys · ‎10-05-2012

I don't want to have to put in any credentials at all, I want to revert back to having open REST services like before, and nothing seems to work so far......

nicogis · ‎10-05-2012

have you disable window authentication in security on rest directory in iis? see Disable anonymous access to GIS Web services http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/0093/0093000000ps000000.h.... You must enable anonymous access

NancyGnanicys · ‎10-08-2012

Yes, it was enabled already as well, I went through and checked the websites folder and the rest services as well and both show as enabling anonymous access using an account that does have permissions in the security role store, the same user that has belongs to the guest role as well.

The attached screen shot shows enabled acccess but in the Computer management shows 'guest' but with a red x, I'm wondering if that needs to be "turned on" and if so how would I change that to be on like the IUSR account? I'm not sure which tab to go into and such, this is the realm of web GIS I am new to.

[ATTACH=CONFIG]18248[/ATTACH]

nicogis · ‎10-08-2012

In iis6, during its setup, the IUSR_computername account is added to the Guests group on the computer running IIS. Guests have the same access as members of the Users group by default, except for the Guest account, which is further restricted.

NancyGnanicys · ‎10-08-2012

When I try to access the Rest services url on the actual machine which runs sde and gis services I am still required to put in credentials, this to me doesn't make sense either but I'm unable to access it via external, internal network computers as well still so I'm still stuck trying to open up REST services to everyone again. For some reason, I've followed the disabling security for services in the resources center but nothing seems to undo security so here are code from some files:

C:programFiles\Arcgis\server\system\server.dat

<Server>
 <SecurityEnabled>false</SecurityEnabled>
 <ServerMachines>
  <Machine>
   <Name>serverX</Name>
   <Description></Description>
   <Capacity>-1</Capacity>
  </Machine>
 </ServerMachines>
 <ServerDirectories>
  <Directory>
   <Path>E:\arcgisserver\arcgiscache</Path>
   <URL>http://serverX/arcgiscache</URL>
   <Description></Description>
   <Type>cache</Type>
  </Directory>
  <Directory>
   <Path>E:\arcgisserver\arcgisjobs</Path>
   <URL>http://serverX/arcgisjobs</URL>
   <Description></Description>
   <Type>jobs</Type>
   <Cleaning>sliding</Cleaning>
   <MaxFileAge>3600</MaxFileAge>
  </Directory>
  <Directory>
   <Path>E:\arcgisserver\arcgisoutput</Path>
   <URL>http://serverX/arcgisoutput</URL>
   <Description></Description>
   <Type>output</Type>
   <Cleaning>sliding</Cleaning>
   <MaxFileAge>600</MaxFileAge>
  </Directory>
 </ServerDirectories>
 <Properties>
  <LogPath>F:\Program Files\ArcGIS\server\user\log\</LogPath>
  <LogLevel>3</LogLevel>
  <LogSize>10</LogSize>
  <ConfigurationStartTimeout>300</ConfigurationStartTimeout>
  <EngineContextTimeout>600</EngineContextTimeout>
  <InputDir>E:\arcgisserver\arcgisinput</InputDir>
 </Properties>
</Server>

From C:\Inetpub\wwwroot\ArcGIS\Services\web.config

<configuration>  
  <configSections>
  </configSections>
  <connectionStrings>
    <add name="AgsUserStore" connectionString="Server=serverX\GISSQL;Initial Catalog=GISDatabase; Integrated Security=True;" />
  </connectionStrings>
  <system.web>     
    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider" />
    <httpHandlers>
      <add verb="*" path="*.agsx" type="ESRI.ArcGIS.WebServices.HandlerFactory, ESRI.ArcGIS.WebServices, Version=10.0.0.0, Culture=neutral, PublicKeyToken=8fc3cc631e44ad86" validate="false" />
    </httpHandlers>
    <httpModules>
      <add type="ESRI.ArcGIS.WebServices.ModuleRewriter, ESRI.ArcGIS.WebServices, Version=10.0.0.0, Culture=neutral, PublicKeyToken=8fc3cc631e44ad86" name="ESRI-Services-BaseHttpModule" />
    </httpModules>
  </system.web>
  <system.webServer>
    <modules>
      <add name="ModuleRewriter" type="ESRI.ArcGIS.WebServices.ModuleRewriter, ESRI.ArcGIS.WebServices, Version=10.0.0.0, Culture=neutral, PublicKeyToken=8fc3cc631e44ad86" preCondition="managedHandler" />
    </modules>
    <validation validateIntegratedModeConfiguration="false" />
    <handlers>
      <add name="ESRI-Services-ISAPI-2.0" path="*" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv2.0" />
      <add name="ESRI-Services-Integrated" path="*" verb="*" type="ESRI.ArcGIS.WebServices.HandlerFactory, ESRI.ArcGIS.WebServices, Version=10.0.0.0, Culture=neutral, PublicKeyToken=8fc3cc631e44ad86" resourceType="Unspecified" requireAccess="Script" preCondition="managedHandler" />
    </handlers>
  </system.webServer>  
  <appSettings>
    <add key="ServiceInfoRefreshTimeInSeconds" value="10" />
    <add key="GCInterval" value="10000" />
    <add key="Impersonate" value="true" />
    <add key="TokenKey" value="jxgt4214JX" />
    <add key="RequireToken" value="False" />
    <add key="ShortTokenTime" value="60" />
    <add key="LongTokenTime" value="14400" />
    <add key="TokenServiceURL" value="https://serverX/ArcGIS/tokens/" />
  </appSettings>  
</configuration>

Interesting how I am unable to undo security at this point, after following the resources. Not sure where else to be looking at this point.

nicogis · ‎10-09-2012

see http://support.microsoft.com/kb/264921/en-us