ArcGIS Enterprise HA Portal configured to use IWA having issues loading Organization/Settings

151
3
Jump to solution
08-01-2022 09:54 AM
Labels (2)
BanchanaPandey
New Contributor III

We have ArcGIS Enterprise Portal 10.9.1 with HA environment configured with IWA.

I have also an esri case open for this issue. We have configured the app pool for the portal web adaptors according to the guidelines here How To: Configure Integrated Windows Authentication with a highly-available portal (esri.com)

We only have one external load balancer fronting the two web adaptor machines and the admin access through web adaptors are enabled true for that reason. The portals and federated arcgis servers have instances in the two web adaptor machines.

Everything seems to be working fine, except for when we disable the anonymous access to the portal web adaptor instances in the web adaptor machines, the Settings page under the Organization/Settings will not load at all. It seems like it is not able to communicate to the federated servers when anonymous is disabled.

Other tabs like Members, Licenses, Status, they load without any issue.

We have provided fiddler saz file, screen shot of error and logs to esri support already.

Thanks!

 

0 Kudos
2 Solutions

Accepted Solutions
JonathanQuinn
Esri Notable Contributor

What does the HTTP traffic look like when you load the Organization tab? Anything outstanding in the JSON responses?

Another thing to validate is whether all internal URLs are not going through a network path that would receive a 401 challenge. For example, this would be the privatePortalURL property or the Admin URL used by federated servers. These URLs can't be configured to return a 401 challenge. If your WebContextURL in Portal is set to the same property as the privatePortalURL, or the services URL used in federation is using IWA as well and matches the admin URL, you'll run into problems. You'll have to use separate URLs for internal communication. 

https://enterprise.arcgis.com/en/portal/latest/administer/windows/ha-scenarios-web-gis.htm

View solution in original post

BanchanaPandey
New Contributor III

May be this will help someone- we have finally resolved our issue by setting up another VIP to handle the backend (administrative, machine to machine) communication. After that, everything seemed to be working as normal. 

 

 

View solution in original post

0 Kudos
3 Replies
JonathanQuinn
Esri Notable Contributor

What does the HTTP traffic look like when you load the Organization tab? Anything outstanding in the JSON responses?

Another thing to validate is whether all internal URLs are not going through a network path that would receive a 401 challenge. For example, this would be the privatePortalURL property or the Admin URL used by federated servers. These URLs can't be configured to return a 401 challenge. If your WebContextURL in Portal is set to the same property as the privatePortalURL, or the services URL used in federation is using IWA as well and matches the admin URL, you'll run into problems. You'll have to use separate URLs for internal communication. 

https://enterprise.arcgis.com/en/portal/latest/administer/windows/ha-scenarios-web-gis.htm

BanchanaPandey
New Contributor III

Thanks Jonathan! I will send you the details privately in the message.

0 Kudos
BanchanaPandey
New Contributor III

May be this will help someone- we have finally resolved our issue by setting up another VIP to handle the backend (administrative, machine to machine) communication. After that, everything seemed to be working as normal. 

 

 

0 Kudos