POST
|
Hi Duarte, Understand your frustrations... we've had to run a duplicative stack with both web tier and token support due to various limitations either by the esri products or the nature of windows authentication. We are striving to only deploy to our token stack if there is a technology limitation impacting a business need (ex: field data collection with collector and/or access from devices/platforms that are not 'trusted' in our domain)... so most of ournservices are in the webtier stack. As for printing with webtier... there is a known workaround and ideas post you may consider voting up - https://community.esri.com/ideas/13647-support-for-printing-web-maps-containing-web-tier-services Best of luck!
... View more
08-21-2017
09:03 AM
|
0
|
0
|
762
|
POST
|
Just updating this thread (marking as resolved). We have successfully been able to take our internal 'web-tier' arcgis for server services offline with collector, collect some data, and sync that data with the web-tier feature service. We have only been able to confirm this with windows 10 based devices and those devices are trusted in our Active Directory domain. I think it would still be a challenge to get this working with Android and/or iOS. we tested this with a Portal for ArcGIS running 10.4.1 setup with Integrated Windows Authentication (IWA) and an ArcGIS for Server environment v10.4.1 also running IWA. ArcGIS Server user-store was set to windows domain, role-store set to 'built-in'. Both servers running on different Windows 2008 R2 hosts with different Fully Qualified Domain Names (FQDN).
... View more
08-11-2017
02:29 PM
|
0
|
0
|
762
|
POST
|
and just a quick followup to this.. If the user is not on the network, our corporate SAML service supports two factor authentication with the smart-card... and theoretically an auth handler could be developed to interact with the smart-card. maybe by tapping into something like pyscard - Python for smart cards — pyscard 1.9.5 documentation ??
... View more
06-21-2017
02:05 PM
|
0
|
0
|
1916
|
POST
|
Hi Thomas, Close... but it does not actually interact with the smart-card plugged in the host machine. Instead, it will inherit the logged in user of the machine. our SAML service is setup to allow Microsoft Integrated Windows Authentication (IWA) which uses the Microsoft Negotiate security provider. The negotiate security provider implements Kerberos and/or NTLM authentication. For the python authentication handlers... it was coded to use Kerberos. If the user account, machine, and server are all 'trusted' in the back-end domain then we can achieve single-sign-on. Our users are required to login to their machines with their smart-card credentials... so we are able to inherit the logged in user identity with this approach. Unfortunately this is not going to work when our users are not connected to our internal network (SSO is only available when coming from an internal IP address), but can be leveraged outside of the Esri desktop products. so my attempt at a 3rd grade statement on how it works: The SAML service knows who you are because you have a trusted account and are on a trusted machine. I did implement the auth handler so that a developer could theoretically provide their own authentication handler to deal with the SAML service based in their unique organizational implementation, however it defaults to Kerberos with OPTIONAL mutual authentication (a developer would pass in an authentication handler to the optional 'saml_auth' instance constructor parameter). Clear as mud? Thanks for the kudos, this was a fun one to write because we have struggled with this for a few years now.
... View more
06-21-2017
01:37 PM
|
0
|
1
|
1916
|
POST
|
This has been a challenge for our organization for the past few years as well. We finally put together an authentication handler that works with the python requests API which supports the esri proprietary "token authentication", web-tier using Kerberos (or ntlm) and SAML with enterprise logins. Code repo is on git hub GitHub - DOI-BLM/requests-arcgis-auth: Authentication handler for using Esri ArcGIS for Server and Portal (ArcGIS Online… in case you find it valuable for your efforts. The saml piece was developed specifically to work with our saml provider (which supports Kerberos authentication), but the overall process for authentication to the identity provider (SAML) with handing the saml code back to the portal to acquire an access and refresh token is technically feasible. Best of luck.
... View more
06-21-2017
10:12 AM
|
3
|
0
|
1285
|
POST
|
This has been a challenge for our organization for the past few years as well. We finally put together an authentication handler that works with the python requests API which supports the esri proprietary "token authentication", web-tier using Kerberos (or ntlm) and SAML with enterprise logins. Code repo is on git hub GitHub - DOI-BLM/requests-arcgis-auth: Authentication handler for using Esri ArcGIS for Server and Portal (ArcGIS Online… in case you find it valuable for your efforts. The saml piece was developed specifically to work with our saml provider (which supports Kerberos authentication), but the overall process for authentication to the identity provider (SAML) with handing the saml code back to the portal to acquire an access and refresh token is technically feasible. Best of luck.
... View more
06-21-2017
09:58 AM
|
0
|
1
|
1539
|
POST
|
Updating an old thread... we did finally work out python authentication access to agol/portal that is federated to our corporate saml service... the Code repo is on github in case anyone is interested to leverage or reusing for their business needs GitHub - DOI-BLM/requests-arcgis-auth: Authentication handler for using Esri ArcGIS for Server and Portal (ArcGIS Online…
... View more
06-21-2017
09:50 AM
|
1
|
3
|
1916
|
POST
|
im curious... what is your business need for the "backdoor" account? Sounds like you would like 2 identity providers... the saml one for your corporate users and the 'built in' for non-corporate users. For that model, I think you are going to need to retain the sign in button. we have a similar setup and have 2 major challenges with trying to run saml only: automating tasks through custom tools/scripts Offline field collection with collector our corporate saml service requires a client certificate on a smart card for authentication, but also supports single sign on using Microsoft integrated windows authentication (ms negotiate - Kerberos). For #1 - we have developed python requests authentication handlers that technically work with our SAML service and Kerberos... you may find this useful - GitHub - DOI-BLM/requests-arcgis-auth: Authentication handler for using Esri ArcGIS for Server and Portal (ArcGIS Online… ... we use this to authenticate to the portal/AGOL site using a 'headless windows AD service account"... the tool (or windows service) runs as that account and does a single sign on to the saml service. for #2 - we are working through providing that capability by using a 3rd party service to provide "2 factor authentication". This is the biggest reason we still have it enabled, that process is not fully flushed out.
... View more
06-21-2017
09:39 AM
|
0
|
2
|
601
|
POST
|
This was very helpful. We are struggling after 10.3.1 to 10.4.1 upgrade on a multi-machine 2 cluster environment. This environment gets 1-2 million hits a day so having it offline is a major impact... Using the #2 workaround appears to have provided us a band-aide getting a service published that is expected to be there... but we still have not resolved the underlying root cause. Most likely going to open up a ticket today w/ Esri to try and nail that down... thanks again.
... View more
05-05-2017
10:40 AM
|
0
|
0
|
1612
|
POST
|
We had a similar/same issue on one of our deployments. I wrote a discussion topic on the ArcGIS for Server forms here that you may find valuable: https://community.esri.com/message/646889-arcgis-for-server-error-failed-to-start-the-server-machine-premature-end-of-file
... View more
11-10-2016
04:29 PM
|
1
|
0
|
1057
|
POST
|
We resolved this issue and wanted to share with the community (Knowledge Base)... The Problem: One of our ArcGIS for Server machines was in a stopped state and would not start up. The only valuable log message we could find in the C:\arcgisserver\logs<machinename>\server directory was: "Failed to start the server machine. Premature end of file" This article suggested some sort of corruption in the installation... which we followed, and compared to a working deployment. The specified file (config.xml) had no obvious issues.. it had content and appeared comparable to a working installation. We found a few log file in the C:\Program Files\ArcGIS\Server\framework\etc\service\logs directory and specifically found the following in the service.log: Nov 10, 2016 9:21:05 AM org.apache.catalina.startup.Catalina stopServer SEVERE: Catalina.stop: org.xml.sax.SAXParseException; systemId: file: C:/Program Files/ArcGIS/Server/framework/runtime/tomcat/conf/server.xml; lineNumber: 1; columnNumber: 1; Premature end of file. <STACK TRACE> and sure enough... the server.xml file was empty (0 bytes) THE FIX: Copied a server.xml file from an alternate location (a deployment of the same arcgis server version 10.3.1) Modified the port 6443 connector (bottom of file) <Connector SSLEnabled="true" clientAuth="false" keyAlias="SelfSignedCertificate" keystoreFile="\\server\share\config-store\machines\servername\arcgis.keystore" keystorePass="<OBSCURED> maxHttpHeaderSize="65535" maxPostSize="10485760" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" sslProtocol="TLS" /> Specifically updated the keyAlias, keystoreFile, and keystorePass The keystorePass was a little tricky... Fortunately we found that the value of password in the \\server\share\config-store\security\super\\super.json file was the same as the keystorepass on other installations... so we put that value into the keystorePass field in our 'hacked' server.xml file. Note: when the alias, file, or password values were in-correct... the ArcGIS Server would actually startup but only listening on HTTP port 6080. The HTTPS port 6443 (this connector) was non-operational. This was also the case access HTTPS/443 through the web-adaptor as I assume the web-adaptor sent the back-end request to 6443 not to 6080. I hope someone finds this useful if they run into a similar issue. We will be watching the site for stability, but a quick cursory test shows success and high confidence of this fix.
... View more
11-10-2016
04:26 PM
|
15
|
9
|
8640
|
POST
|
We resolved this issue and wanted to share with the community (Knowledge Base)... Our agency has quite a few ArcGIS for Server (AGS) deployments ranging from a 1 machine site with a local config store to multiple machine sites with a shared configuration store. We recently went to add a machine to our *DEVELOPMENT* environment and ran across an error that the new machine was unable to access the configuration store: {"status":"error","messages":["Failed to register the server machine '<HOSTNAME>'. Server machine 'http://<HOSTNAME>:6080/arcgis/admin' returned an error. 'Unable to access the config store on '\\\\<server>\\<share>\\config-store'.'"],"code":500} This site was originally built with 4 machines, 1 in each cluster (with a shared config store)... but over the years they were all yanked out for other purposes and we needed some additional capacity for the amount of services hosted. We are currently running the Esri ArcGIS for Server v10.3.1 with the Security Update 2 patch applied (JULY 2016) We spent a fair amount of time troubleshooting this... Most of our AGS deployments access the config-store on a DFS path that is served up from a file share on a windows server. This has worked pretty well for us in the past as our file servers are rolled into our back-up procedures; we have successfully restored configuration stores to an alternate location and bring up ArcGIS server to a previous point in time. To troubleshoot... we started by restoring our config-store to an alternate server and were able to get the site up and operational without issue, but had the same problem trying to add a new server... "Unable to access the config store...". We loosed all sharing and NTFS permissions without resolve. We sifted through all the known logging locations and could not find any valuable information to chase. We logged into our AGS machine with the service account used to run AGS, connected to the config-store with success. We shut down the site and cleaned up any existing .lock files (which have been troublesome for us in the past) Assuming there is some corruption in the config-store... and not having much success troubleshooting it over a few days, we were about to give up and make our GIS business side re-build all their dev services from scratch (this is a shared development environment with ~120 services with ~30 publishers).. we decided to look at the network level using wireshark as one last ditch effort. We completed a packet capture during the attempt to add the site and found the AGS machine communicating with the file server: and on the SMB Create Request File it specifically had: Disposition set to FILE_OPEN FILE_OPEN 0x00000001 If the file already exists, return success; otherwise, fail the operation. MUST NOT be used for a printer object. And the file server responded with STATUS_OBJECT_NAME_NOT_FOUND. At that point the AGS machine responded with an HTTP 500 status code (quoted above). We ran this attempt a few times and noticed that it was trying to open the same file every time. Reviewing other config-stores showed a file present (with a different value in the file name) which all appear to be empty. THE FIX: We copied over a <obscure_number>.dat file from a different installation into this config-store and named it the file it was trying to open: 0350a677b607f5f86226be7b50ca4073d4710b8f.dat Attempting to add the ArcGIS Server to the site no longer threw that error message (we ended up with a different error message about not being able to validate data stores... but we have previously and frequently run into that and just delete data stores that are no longer valid). I hope someone finds this useful if they run into a similar issue. We will be watching the site for stability, but a quick cursory test shows success and high confidence of this fix.
... View more
11-07-2016
04:08 PM
|
6
|
3
|
3289
|
POST
|
We are also struggling with this. We have public facing services that require security for various reasons (data confidentiality or integrity) The primary workflow would be for 'Collector for ArcGIS'. We would like to host on-premise services that are accessible in our ArcGIS.com solution. An alternative we are mulling around is to deploy a public facing on-premise 'portal for arcgis' solution, and federate our ArcGIS Server solutions to that. Unfortunately having multiple portals is very cumbersome and confusing by end users and adds additional IT burden. We would have to manage users, groups, and items in two different public portals to provide secured access to both services and portal items (eg: web-maps/apps) We started an Ideas post (https://community.esri.com/ideas/12092 ) for Esri to consider allowing on-premise ArcGIS Server to federate with an ArcGIS Online portal. This would allow our ArcGIS server environments to inherit the security settings (authentication/authorization) with the portal and leverage the same single-sign-on session. If this were implemented - For your case, I expect you would share your service with the same arcgis online group as your web-map. Users that are members of that group would get authorized access to both resources (the service and web-map). My plug - You may consider to 'vote up' !
... View more
06-30-2016
12:22 PM
|
0
|
1
|
1010
|
POST
|
We recently enabled enterprise logins using our corporate identity provider (SAML). It was pretty straight forward. We choose the value Either their <enterprise login label> or ArcGIS Online Account Under the Sign In Options in the Security tab of the organization settings. This presents 2 login buttons on the login page... the first button is the SAML provider, the second is the built-in arcgis.com account. Our users can login with the SAML provider... but it creates them a new account and their existing content is under their old account. Most our users are still using the arcgis.com accounts, but we are putting plans in place to transition them to SAML (which is an endeavor in and of itself).
... View more
06-30-2016
12:12 PM
|
1
|
0
|
279
|
POST
|
I ran into this also today... I have a pretty straight forward python script that uses arcpy.mapping. The script just adds a few service layers, and vector (polygon) layers from a SQL Server 2012 enterprise GDB (EGDB). These EGDB layers are registered as versioned. All running v10.3.1 (desktop + EGDB). I am directly interacting with the python interpreter window inside arcmap. I've run this same code off and on over the past few days and it failed only once with over 100+ executions... Any help or insight is greatly appreciated. I am also using SelectLayerByAttribute_management
... View more
06-21-2016
08:04 AM
|
0
|
1
|
2016
|
Title | Kudos | Posted |
---|---|---|
1 | 02-18-2016 03:07 PM | |
1 | 07-09-2012 09:32 AM | |
1 | 03-25-2015 08:29 AM | |
1 | 06-30-2016 12:12 PM | |
1 | 03-24-2015 09:33 AM |
Online Status |
Offline
|
Date Last Visited |
11-11-2020
02:23 AM
|