Issues After Installing ArcGIS for Server and Portal for ArcGIS Server Version 10.2.1

10675
4
Jump to solution
03-07-2014 06:28 AM
PaulHardin
New Contributor II
Hello,

I hope someone can help us.

We have upgraded our TEST environment to ArcGIS for Server (AGS) 10.2.1 and included Portal for ArcGIS 10.2.1.  AGS and Portal was installed on the server by one of our IT administrators.  AGS and Portal are installed on the same server.  Portal's WebAdapter has SSL enabled.  We have web apps (such as , Flex Viewer) that use the map services so SSL was not enabled for AGS.  Our Portal and AGS is only accessible internally inside our firewall on our intranet.

I am the Portal admin for customizing and managing Portal itself.  We are having a few issues after the upgrade.  We did not, nor plan to (unless it's required), Federate Portal with ArcGIS for Server.  Below are 3 issues we have:

[INDENT]

  1. We have Portal configured to use Active Directory (AD).  Once our administrator finished installing and configuring Portal for AD, I started the customizing of the application (i.e. customized banner, background color, etc).  On the settings page, I noticed the check boxes for "Allow access to the portal through SSL only" was checked and the "Allow anonymous accesss to your portal" was unchecked.  I unchecked the SSL Only checkbox and checked the Anonymous checkbox since we want some portions of Portal to be shared without users having to sign into Portal (i.e. web maps, web apps, etc).  Even though we have Anonymous checked, Portal still requires the user to log in.  Also, on the My Organization page, Portal only shows the user's AD User ID and not the AD name.  We need input on how to make Portal open for anonymous users and also to show the AD name and not the AD user id.


  2. We are also unable to add AGS map services in as content in Portal.  I copy the URL from the REST services page for a map service.  Then on Portal I paste this in and as soon as I do that, the form changes for inputting whether the store or not to store the credentials with the service item.  AGS is unsecured so the REST services can be accessed without logins.  We have been unable to add any map services as content to Portal to share publicly on our intranet.


  3. When trying to create a map, without adding map service definitions as content to Portal, accessing the REST services from AGS directly (i.e. http://servername/arcgis/rest/services), I get a bunch of message boxes (appears to be one for each layer available) stating "Notice:  This portal is configured to require that only URLs access over HTTPS can be added."  I did a search for this message (ESRI and Google) and found that when you use IWA with Portal you must configure AGS and Portal to communicate using only HTTPS.


[/INDENT]I hope someone can help us with answers about these issues.

Sincerely,
Paul Hardin
Nashville Electric Service
Nashville TN
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
PaulHardin
New Contributor II
If you want to try to work on resolving this for yourself you can try to follow the summary of what we had to do with Esri's help.

1.
The UpdateIdentityStore configuration settings was reviewed. With our DBA/Administrator present with Esri remoted in, we reviewed the configuration settings for the Identity Store. As an administrator of Portal, go to My Organization, click on Edit Settings, click on the Security tab and verify the "Allow access to the portal through SSL only" is checked. It doesn't matter whether the "Allow anonymous access to your portal" is checked or not as using LDAP or Integrated Windows Authentication basically forces a login.

Using the URL, https://webadaptor.domain.com/arcgis/portaladmin, replacing the "webadaptor.domain.com" with your portal server domain. If you used a different website, you may need to also change the "Arcgis" folder appropriately. In our case, we placed it in a "portal" website with its own WebAdaptor since Portal and ArcGIS for Server Enterprise are installed on the same server. Login in to the portaladmin site as an administrator. Go to Security > Config > Update Identity Store. Make sure you are using the example as provided in the help documentation (http://resources.arcgis.com/en/help/main/10.2/index.html#/Using_Integrated_Windows_Authentication_wi... changing the appropriate properties for your enterprise's AD user, password, domain, etc.

Note: Esri verified you will get an error when the format is set to JSON formatting and it is normal operation.

2.
We attempted to log in and got the same log in error as before.

3.
We took the following steps to ensure the AD query credentials were valid and communicating with Active Directory. Go to the ArcGIS Server Manager endpoint at https://webadaptor.domain.com/arcgis/manager/# replacing the domain with your server domain and log in as an administrator. Click on the Security tab. IMPORTANT: This is only for testing the Active Directory user query login and not to be saved. Click on the Edit button (pencil icon) for Configuration Settings. Complete the steps to configure ArcGIS Server to communicate with Windows Active Directory. At the step to type in domain/username and password type in the credentials and click TEST. IMPORTANT: Once the credentials are validated click Cancel.

4.
We connected back to the Portal Admin API and deleted the configurations we added previously in Step 1.

5.
On the Portal server, go to the Windows services manager and stop the Portal service and then restart the Portal service.

6.
Once the Portal starts back up, we ensured we could create an account from the Portal Home page.

7.
Once the account creation was confirmed we connected tot he Portal Admin API and added the Windows Active Directory configurations again from Step 1.

8.
On the Portal server, open the IIS Manager. Click on the Portal site. Click on Authentication. For these settings, Disable Anonymous Authentication and Enable Windows Authentication.

9.
If you organization allows and you desire a single-signon experience, you could then add the Portal server as a Trusted Site in Internet Options for Internet Explorer on the Security tab. You would need to click on the Custom Level button and scroll to the bottom of the window and select "Automatic logon with current user name and password", click Ok, click Apply and then click Ok. You may want to verify with your IT department if this is in accordance with their IT Security policies. If not, you do not have to perform this step. If this step is not performed then any time you go to Portal you will be prompted to enter a user name and password on the login form that pops open.

As for the other issue we were having with the Security messages that kept appearing we made the following changes:

1.
On the ArcGIS Server REST API endpoint (https://webadaptor.domain.com/arcgis/admin), we needed to change the ArcGIS Server from HTTP Only to HTTP and HTTPS. Once you log in as an administrator, click on Security > Config > Update. If not already set, change HTTP Only to HTTP and HTTPS from the drop-down list for the Protocol and click Update.

2.
For some reason, this kind of got our WebAdaptor out of sync and we had to re-initialize it by re-configuring our WebAdaptor the same way we did during the ArcGIS Server installation. This has to be done from the server itself. Remote into the ArcGIS server and open a browser. Go to http://localhost/arcgis/webadaptor. You can use your ArcGIS WebAdaptor server domain if using localhost does not work for you. Select ArcGIS for Server and click Next. Ensure the ArcGIS Server URL is correct. Enter the Administrator user name and password and click Configure. This will re-initialize WebAdaptor.

3.
Ensure you can see the REST map services in both the HTTP protocol and HTTPS protocol by going to your http://webadaptor.domain.com/arcgis/rest/services for the unsecured services and https://webadaptor.domain.com/arcgis/rest/services for your secured services. Test to make sure you can see and preview both of these in the ArcGIS JAVA viewer or other viewer of your choice from the map service page.

4.
When you try to add map services to Portal, make sure you use the HTTPS URL and you will not see the Security messages that pop up when you search for map services.


I know this is long but it is the steps we had to take with Esri on a conference call and remoted in to see how it was all set up. I hope this works for any of you that are having these issues.

Sincerely,
Paul Hardin
Senior GIS Specialist
Nashville Electric Service

P.S. A special note of thanks to Esri Technical Support agent, Dustin.

View solution in original post

0 Kudos
4 Replies
LoriSemmes
New Contributor
We are experiencing all the same issues and we have a Windows IIS Server with the WebAdaptor, a linux server with Portal and a federated linux server with ArcGIS Server. I have experienced every issue you mentioned with no solutions. Hopefully we can get some answers soon.
0 Kudos
JaysonLindahl
Occasional Contributor
I think for your first part, you have to have the "allow access to the portal through SSL only" checked if you are going to use AD to authenticate because it is passing the credentials through the web adaptor. 
http://resources.arcgis.com/en/help/main/10.2/index.html#/Using_Integrated_Windows_Authentication_wi...

We also have the "Allow anonymous accesss to your portal" checked, which allows those users who don't have portal accounts to still see the public data.

We manually create add our users to Portal and in the command script you are able to enter the users name.
0 Kudos
PaulHardin
New Contributor II
We ended up logging a technical support call with Esri to resolve the issues we were seeing.  They resolved our issues by remoting in and it was quite involved so I would highly recommend logging a support call if you are still having your issues.
0 Kudos
PaulHardin
New Contributor II
If you want to try to work on resolving this for yourself you can try to follow the summary of what we had to do with Esri's help.

1.
The UpdateIdentityStore configuration settings was reviewed. With our DBA/Administrator present with Esri remoted in, we reviewed the configuration settings for the Identity Store. As an administrator of Portal, go to My Organization, click on Edit Settings, click on the Security tab and verify the "Allow access to the portal through SSL only" is checked. It doesn't matter whether the "Allow anonymous access to your portal" is checked or not as using LDAP or Integrated Windows Authentication basically forces a login.

Using the URL, https://webadaptor.domain.com/arcgis/portaladmin, replacing the "webadaptor.domain.com" with your portal server domain. If you used a different website, you may need to also change the "Arcgis" folder appropriately. In our case, we placed it in a "portal" website with its own WebAdaptor since Portal and ArcGIS for Server Enterprise are installed on the same server. Login in to the portaladmin site as an administrator. Go to Security > Config > Update Identity Store. Make sure you are using the example as provided in the help documentation (http://resources.arcgis.com/en/help/main/10.2/index.html#/Using_Integrated_Windows_Authentication_wi... changing the appropriate properties for your enterprise's AD user, password, domain, etc.

Note: Esri verified you will get an error when the format is set to JSON formatting and it is normal operation.

2.
We attempted to log in and got the same log in error as before.

3.
We took the following steps to ensure the AD query credentials were valid and communicating with Active Directory. Go to the ArcGIS Server Manager endpoint at https://webadaptor.domain.com/arcgis/manager/# replacing the domain with your server domain and log in as an administrator. Click on the Security tab. IMPORTANT: This is only for testing the Active Directory user query login and not to be saved. Click on the Edit button (pencil icon) for Configuration Settings. Complete the steps to configure ArcGIS Server to communicate with Windows Active Directory. At the step to type in domain/username and password type in the credentials and click TEST. IMPORTANT: Once the credentials are validated click Cancel.

4.
We connected back to the Portal Admin API and deleted the configurations we added previously in Step 1.

5.
On the Portal server, go to the Windows services manager and stop the Portal service and then restart the Portal service.

6.
Once the Portal starts back up, we ensured we could create an account from the Portal Home page.

7.
Once the account creation was confirmed we connected tot he Portal Admin API and added the Windows Active Directory configurations again from Step 1.

8.
On the Portal server, open the IIS Manager. Click on the Portal site. Click on Authentication. For these settings, Disable Anonymous Authentication and Enable Windows Authentication.

9.
If you organization allows and you desire a single-signon experience, you could then add the Portal server as a Trusted Site in Internet Options for Internet Explorer on the Security tab. You would need to click on the Custom Level button and scroll to the bottom of the window and select "Automatic logon with current user name and password", click Ok, click Apply and then click Ok. You may want to verify with your IT department if this is in accordance with their IT Security policies. If not, you do not have to perform this step. If this step is not performed then any time you go to Portal you will be prompted to enter a user name and password on the login form that pops open.

As for the other issue we were having with the Security messages that kept appearing we made the following changes:

1.
On the ArcGIS Server REST API endpoint (https://webadaptor.domain.com/arcgis/admin), we needed to change the ArcGIS Server from HTTP Only to HTTP and HTTPS. Once you log in as an administrator, click on Security > Config > Update. If not already set, change HTTP Only to HTTP and HTTPS from the drop-down list for the Protocol and click Update.

2.
For some reason, this kind of got our WebAdaptor out of sync and we had to re-initialize it by re-configuring our WebAdaptor the same way we did during the ArcGIS Server installation. This has to be done from the server itself. Remote into the ArcGIS server and open a browser. Go to http://localhost/arcgis/webadaptor. You can use your ArcGIS WebAdaptor server domain if using localhost does not work for you. Select ArcGIS for Server and click Next. Ensure the ArcGIS Server URL is correct. Enter the Administrator user name and password and click Configure. This will re-initialize WebAdaptor.

3.
Ensure you can see the REST map services in both the HTTP protocol and HTTPS protocol by going to your http://webadaptor.domain.com/arcgis/rest/services for the unsecured services and https://webadaptor.domain.com/arcgis/rest/services for your secured services. Test to make sure you can see and preview both of these in the ArcGIS JAVA viewer or other viewer of your choice from the map service page.

4.
When you try to add map services to Portal, make sure you use the HTTPS URL and you will not see the Security messages that pop up when you search for map services.


I know this is long but it is the steps we had to take with Esri on a conference call and remoted in to see how it was all set up. I hope this works for any of you that are having these issues.

Sincerely,
Paul Hardin
Senior GIS Specialist
Nashville Electric Service

P.S. A special note of thanks to Esri Technical Support agent, Dustin.
0 Kudos