Unable to add secured map services (local) to a new REST site with REST Manager 3.7

Permanently deleted user

March 15, 2012 01:20

ISSUE:

Unable to add secured map services (local) to a new REST site with REST Manager 3.7

ENVIRONMENT:

OS:  Windows Server 2008 (64-bit) R2 Standard SP1

 

ArcGIS Server: 10.0 SP2

 

Geocortex Essentials: 3.7

STEPS:

1. Open URL:  http://cal1-s-agsdev1/Geocortex/Essentials/ClientGroup1/RestManager

 

    a. Login with a member of group: agsadmin

 

    b. Click link: Add New Site

        /customer/servlet/servlet.FileDownload?file=00P6000000e883yEAA

    c. Click button: Next

        /customer/servlet/servlet.FileDownload?file=00P6000000e889kEAA

    d. Click button: Next

         /customer/servlet/servlet.FileDownload?file=00P6000000e889pEAA

    e. Click button: Next

        /customer/servlet/servlet.FileDownload?file=00P6000000e889uEAA

        NOTE:  I’ve tried the following values for map server:

        1. Localhost

 

        2. CAL1-S-AGSDEV1

 

        3. CAL1-S-AGSDEV1.EXTRANET.GDS

 

        4. http://CAL1-S-AGSDEV1/ArcGIS/Rest/Services

 

        5. http://CAL1-S-AGSDEV1.EXTRANET.GDS/ArcGIS/Rest/Services

    f. Click button: Next

       /customer/servlet/servlet.FileDownload?file=00P6000000e889zEAA

        NOTE: No map services are available in the dropdown list

    g. Click button:  Access Secured Services

        /customer/servlet/servlet.FileDownload?file=00P6000000e88A4EAI

ADDITIONAL INFORMATION:

1. Client Access Policy:

 

   <?xml version="1.0" encoding="utf-8"?>

 

   <access-policy>

 

     <cross-domain-access>

 

       <policy>

 

         <allow-from http-request-headers="*">

 

           <domain uri="*"/>

 

           <domain uri="http://*"/>

 

         </allow-from>

 

         <grant-to>

 

           <resource path="/" include-subpaths="true"/>

 

         </grant-to>

 

       </policy>

 

     </cross-domain-access>

 

   </access-policy>

2. Cross Domain:

   <?xml version="1.0"?>

 

   <!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

 

   <cross-domain-policy>

 

     <allow-access-from domain="*" />"

 

   </cross-domain-policy>

3. ArcGIS Server Security:

    /customer/servlet/servlet.FileDownload?file=00P6000000e885aEAA

 

4. ArcGIS Server Directory Permissions:

    /customer/servlet/servlet.FileDownload?file=00P6000000e88A9EAI

5. IIS Security:

    /customer/servlet/servlet.FileDownload?file=00P6000000e889WEAQ

6. Windows Group:

    /customer/servlet/servlet.FileDownload?file=00P6000000e88AEEAY

 

0

• 

  Permanently deleted user

  March 15, 2012 01:47

  Hi Carl,

  Have you made any changes to the Application Pool configuration on your server?  Does the EssentialsAdmin user still run the REST Manager application?

  If so, then something is interfering with the way that the server communicates with itself.  After you try adding a service, can you check your IIS logs to determine if IIS recognizes the user, and see what identity that is?  It's usually the 8th column, and of the form DOMAIN\username (or a single dash if there's no username, and it's anonymous).

  Regards,

  -Malcolm

   

  0
• 

  Permanently deleted user

  March 15, 2012 02:35

  APPLICATION POOL:

  1. The REST manager for GE 3.7 is associated with the following application pool:

      /customer/servlet/servlet.FileDownload?file=00P6000000e889XEAQ

  2. This application pool is associated with the following applications:

      /customer/servlet/servlet.FileDownload?file=00P6000000e883zEAA

      NOTE:  It is associated with the REST manager for an instances of Geocortex Essentials 3.5.0 & 3.7.0

  IIS LOGS:

  1.  Login with "domain" account: GOLDER\admin_caustrom

      2012-03-14 19:12:46 10.40.100.74 GET /Geocortex/Essentials/RESTDemoGroup1/RestManager/Account/LogOn ReturnUrl=%2fGeocortex%2fEssentials%2fRestDemoGroup1%2fRestManager 80 - 10.40.122.60 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 187

  2012-03-14 19:13:07 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/Account/LogOn ReturnUrl=%2fGeocortex%2fEssentials%2fRestDemoGroup1%2fRestManager 80 - 10.40.122.60 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 302 0 0 234

  2012-03-14 19:13:08 10.40.100.74 GET /Geocortex/Essentials/RestDemoGroup1/RestManager - 80 - 10.40.122.60 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 1296

       NOTE:  Account is not being recorded!

  ADDITIONAL COMMENTS

  1.  Able to login with "domain" account when key: AdminRoleName is set to value: BUILTIN\Administrator & "domain" account is a member of Windows group: Administrators

   

  2.  Not able to login with "domain" account when key: AdminRoleName is set to value: agsadmin & "domain" account is a member of Windows group: agsadmin

  0
• 

  Permanently deleted user

  March 15, 2012 02:51

  Carl, we have two separate issues here.

  First, the Essentials REST Manager does NOT impersonate the login that you use to connect to REST Manager.  So, regardless of who you use to run the Manager, it will try to make connections to your maps as the  identity of the Manager application.

  Similarly, the Essentials REST Application will  always connect to your maps as the identity of its application pool.

  In your case this is the "Network Service" identity - which likely ends up being converted into the Computer account when it actually makes the connection.  In you IIS logs, you should see some requests to the "/ArcGIS/rest/services" endpoint that result in a 401 unauthorized.  These requests should have the identity of the user running Essentials.  To get your setup to work, please add both the NETWORK SERVICE user principal and the computer account to the "agsadmin" group - or, add them to a different local group and grant that group access to the ArcGIS REST folder.

  Secondly, if you change the administrative group for Essentials you must prepend the domain or computer name to the group.  So, to permit access to REST Manager only to members of the local "agsadmin" group, specify the group as "CAL1-S-AGSDEV1\agsadmin".

  I hope this clears some things up,

  -Malcolm

  0
• 

  Permanently deleted user

  March 15, 2012 04:18

  ISSUE :

  Unable to login to REST Manager with "domain" account in Windows group: AGSADMIN

  SOLUTION :

  Modified key: AdminRoleName from value:  agsadmin to value: CAL1-S-AGSDEV1\agsadmin

  0
• 

  Permanently deleted user

  March 15, 2012 04:43

  CHANGES :

  Add account: NT AUTHORITY\NETWORK Service to Window group: agsadmin

   

  Windows group:  agsadmin is associated with the following members:  Essentials, EssentialsAdmin, GAGISWebServices, GOLDER\CAL1-G-IMADMIN, GOLDER\CAL1-G-IMAGSADMIN & NT AUTHORITY\NETWORK Service

   

  Domain accounts: GOLDER\caustrom & GOLDER\AGSProxy are members of domain group: GOLDER\CAL1-G-IMAGSADMIN

   

  Domain accounts: GOLDER\admin_caustrom is member of domain group: GOLDER\CAL1-G-IMADMIN

  VERIFICATION :

  Login to REST manager with domain account: GOLDER\caustrom -- PASSED 

   

  Create new REST site with a single map service from server: CAL1-S-AGSDEV1 -- FAILED (empty list of map services)

  IIS LOGS:

  2012-03-14 21:23:53 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/Account/LogOn - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 302 0 0 250

   

  2012-03-14 21:23:53 10.40.100.74 GET /Geocortex/Essentials/RESTDemoGroup1/RestManager/ - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 656

   

  2012-03-14 21:23:56 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/SiteWizard/Start - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 359

   

  2012-03-14 21:24:02 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/SiteWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 437

   

  2012-03-14 21:24:04 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/SiteWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 312

   

  2012-03-14 21:24:06 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/MapServiceWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 328

   

  2012-03-14 21:24:22 ::1 GET /ArcGIS/rest/services f=json 80 - ::1 - 401 2 5 3109

   

  2012-03-14 21:24:22 ::1 GET /ArcGIS/rest/services f=json 80 EXTRANET\CAL1-S-AGSDEV1$ ::1 - 200 0 0 296

   

  2012-03-14 21:24:22 ::1 GET /ArcGIS/rest/services f=json 80 - ::1 - 401 2 5 0

   

  2012-03-14 21:24:22 ::1 GET /ArcGIS/rest/services f=json 80 EXTRANET\CAL1-S-AGSDEV1$ ::1 - 200 0 0 31

   

  2012-03-14 21:24:22 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/MapServiceWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 3765

  0
• 

  Permanently deleted user

  March 15, 2012 05:59

  Hi Carl,

  This is the important clue:

  2012-03-14 21:24:22 ::1 GET /ArcGIS/rest/services f=json 80 - ::1 - 401 2 5 3109

   

  2012-03-14 21:24:22 ::1 GET /ArcGIS/rest/services f=json 80 EXTRANET\CAL1-S-AGSDEV1$ ::1 - 200 0 0 296

  These requests (since they have no user agent) are the ones that Essentials is making.  We can see that the first anonymous request is rejected with a 401, but the second request that is made by EXTRANET\CAL1-S-AGSDEV1$ returns a 200.  It likely returns some content that says "you're not allowed to see these resources".

  The EXTRANET\CAL1-S-AGSDEV1$ account is the computer account.  You can add this account to the agsadmin group by ensuring that Computers are included in the Object Types when you add a user.  Then, just type in CAL1-S-AGSDEV1 as the object name.

  Regards,

  -Malcolm

  /customer/servlet/servlet.FileDownload?file=00P6000000e88AOEAY

  0
• 

  Permanently deleted user

  March 15, 2012 06:16

  CHANGE:

  Add computer: EXTRANET\CAL1-S-AGSDEV1 to Windows group: agsadmin

  VERIFICATION :

  Login to REST manager with domain account: GOLDER\caustrom -- PASSED

   

  Create new REST site with a single map service from server: CAL1-S-AGSDEV1 -- FAILED (empty list of map services)

  IIS LOGS :

  2012-03-14 23:10:52 10.40.100.74 GET /Geocortex/Essentials/RESTDemoGroup1/RestManager/Account/LogOn - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 562

   

  2012-03-14 23:11:02 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/Account/LogOn - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 302 0 0 375

   

  2012-03-14 23:11:02 10.40.100.74 GET /Geocortex/Essentials/RESTDemoGroup1/RestManager/ - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 671

   

  2012-03-14 23:11:05 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/SiteWizard/Start - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 375

   

  2012-03-14 23:11:14 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/SiteWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 453

   

  2012-03-14 23:11:16 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/SiteWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 312

   

  2012-03-14 23:11:18 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/MapServiceWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 312

   

  2012-03-14 23:11:29 ::1 GET /ArcGIS/rest/services f=json 80 - ::1 - 401 2 5 15

   

  2012-03-14 23:11:29 ::1 GET /ArcGIS/rest/services f=json 80 EXTRANET\CAL1-S-AGSDEV1$ ::1 - 200 0 0 46

   

  2012-03-14 23:11:29 ::1 GET /ArcGIS/rest/services f=json 80 - ::1 - 401 2 5 15

   

  2012-03-14 23:11:29 ::1 GET /ArcGIS/rest/services f=json 80 EXTRANET\CAL1-S-AGSDEV1$ ::1 - 200 0 0 31

   

  2012-03-14 23:11:29 10.40.100.74 POST /Geocortex/Essentials/RESTDemoGroup1/RestManager/MapServiceWizard - 80 - 10.40.122.57 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/535.11+(KHTML,+like+Gecko)+Chrome/17.0.963.78+Safari/535.11 200 0 0 453

  0
• 

  Permanently deleted user

  March 17, 2012 03:53

  Hi Carl,

  I set up a machine here that matches what you have done and ended up with the same results.

  I do not see my Windows-secured ArcGIS Services from REST Manager.

  However, with Server 2008 we should not have to use the "Network Service" identity to run the app pools for Kerberos authentication purposes.  The Integrated application pools running as Essentials should be fine.  If you use an Integrated application pool running as Essentials and EssentialsAdmin, then put the EssentiaslAdmin and Essentials users into a role that is permitted to see your maps, then I think things will start to work properly.

  I have tried to do that here but encountered some unexpected behaviour with REST Manager (blank screen instead of login prompt).  The machine I am using has many many old versions of Essentials on it, though, so I suspect it is a problem on my end.

  If I can find a resolution I will post it here.

  Regards,

  -Malcolm

  0
• 

  Permanently deleted user

  March 24, 2012 21:46

  CHANGES:

   

  Reboot computer

   

  VERIFICATION:

   

  Login to REST manager with domain account: GOLDER\caustrom -- PASSED

   

  Create new REST site with a single map service from server: CAL1-S-AGSDEV1 -- PASSED (lists all map services)

  0

Please sign in to leave a comment.