Physical HTTP load balancer, ArcGIS for Server, and Active Directory

2443
6
01-09-2013 12:19 PM
GhassanKarwchan
New Contributor III
Our company want to upgrade the ArcGIS to 10.1.
And we are using Active Directory Security on the server.
So, from what I know that we have to use Web Adapter of 10.1 if we are using Active directory in order to authenticate the users.
But at the same time, our current setup is using load balancer, which is a physical Http router that is used as load balancer.

Is there a way to use the physical balancer and authenticate with the Windows logged in users?

Our IT are insisting on using the load balancer, because we cannot trust how good is the web adapter as load balancer.
0 Kudos
6 Replies
BubbaHey
Occasional Contributor III
I will let someone else answer the load balance question, but you don't need web adaptor for windows or LDAP/Active directory authentication. Web adaptor is only needed if you want external users to have access to your pages.

See:

Configuring ArcGIS Server security
http://resources.arcgis.com/en/help/main/10.1/index.html#//0154000005qz000000
0 Kudos
BubbaHey
Occasional Contributor III
0 Kudos
GhassanKarwchan
New Contributor III
I will let someone else answer the load balance question, but you don't need web adaptor for windows or LDAP/Active directory authentication. Web adaptor is only needed if you want external users to have access to your pages.

See:

Configuring ArcGIS Server security
http://resources.arcgis.com/en/help/main/10.1/index.html#//0154000005qz000000


I am not sure if this correct.

From the same document it is clear in the paragraph about web server authentication

Web server authentication requires installing the ArcGIS Web Adaptor on your web server. When web server authentication is configured, ArcGIS Server delegates authentication to the Web Adaptor. Once a user is successfully authenticated, the ArcGIS Web Adaptor encrypts and appends the user information to the request and forwards it to ArcGIS Server. ArcGIS Server receives and decrypts the user information to verify that the user has the authorization to access the requested GIS web service.
0 Kudos
GhassanKarwchan
New Contributor III
For more information about my question

I want to use LDAP/Active Directory as user/role data store
and I want to use Integrated Windows Authentication to authenticate users.

And I found this paragraph

Integrated Windows Authentication is not supported over the Internet and requires the installation and configuration of the ArcGIS Web Adaptor (IIS). For information, see About the ArcGIS Web Adaptor. The Web Adaptor performs authentication, while ArcGIS Server authorizes access to the web services.


From this document: http://resources.arcgis.com/en/help/main/10.1/index.html#/Securing_web_services_with_Integrated_Wind...

So, my question is
If I want to use Integrated windows authentication , and at the same time, the company is using Load balancer to blanace the request, and the load balancer is just a hardware box. How can I do that?
The load balancer that is used is: http://www.f5.com/glossary/load-balancer/
0 Kudos
christopherfricke2
New Contributor III
I just got done setting something up like this.

You should be okay for integrated windows authentication on IIS through the load balancer.  You just need to make sure that the SSL certificate installed in IIS on each background server is using the hostname of the load balancer. 

In the below scenario, SSL Certs will need to be for LB1


AGS 1--\
AGS 2----  LB1
AGS 3--/


Currently Active Directory / IIS authentication is incredibly finicky at 10.1 sp1.  Some of these things are supposed to be fixed at 10 sp2, however here are a few troubleshooting suggestions:


  • If you start getting 500 error messages like "Unable to process request. ArcGIS Server Site is not configured. Check with your ArcGIS Server administrator for resolution; an ArcGIS Server site is created or machines are added to an existing site using ArcGIS Server Manager."  This can be caused by ArcGIS server getting out of sync with your AD.



    1. Set Role storage back to ArcGIS Server

    2. Restart ArcGIS server

    3. Set Role storage to AD with Token Authentication

    4. Restart ArcGIS server

    5. Set role storage to AD and set IIS authentication

    6. Restart server



  • If you are getting random 400 messages when accessing the rest endpoint, but can still log into manager.  This could be an issue with your user being in too many AD groups.  This results in the size of the requests being too large for ArcGIS Server to handle.



    1. Open C:\Program Files\ArcGIS\Server\framework\runtime\tomcat\conf\server.xml

    2. Look for this text at the very bottom of the file:


    3.   <Connector SSLEnabled="true" clientAuth="false" keyAlias="SelfSignedCertificate" keystoreFile="/opt/esri/3135_upgrade/arcgis/server/usr/config-store/machines/RHDAILY.ESRI.COM/arcgis.keystore" keystorePass="<blah blah blah>" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS"/>

    4. Insert maxHttpHeaderSize="65535"  as an attribute of the XML so that it looks like this:


    5. <Connector SSLEnabled="true" clientAuth="false" keyAlias="SelfSignedCertificate" keystoreFile="/opt/esri/3135_upgrade/arcgis/server/usr/config-store/machines/RHDAILY.ESRI.COM/arcgis.keystore" keystorePass="<blah blah blah>" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" maxHttpHeaderSize="65535"/>

  • You may have to modify the WebContextURL - http://servicesbeta2.esri.com/arcgis/admin/www/doc/serverProperties.html

  • Also check out http://support.esri.com/en/knowledgebase/techarticles/detail/40694 for more info

0 Kudos
GhassanKarwchan
New Contributor III
Wow
Thanks Christopher
Very detailed answer

I will check it out and ask you if I have questions
0 Kudos