search

Esri / arcgis-cookbook

Chef cookbooks for ArcGIS
Apache License 2.0
290 stars 115 forks source link

ERROR: Failed to configure Web Adaptor with Portal for ArcGIS. Expected process to exit with [0], but received '1' #293

Closed makariw closed 2 years ago

makariw commented 2 years ago

I am running the install ESRI Enterprise with HA as documented here

https://github-wiki-see.page/m/Esri/arcgis-cookbook/wiki/Deploy-a-highly-available-ArcGIS-Enterprise

on Windows 2016 with 4 cores

The process is failing with error message below

I can browse to https://MACHINENAME/portal/webadaptor and it resolves as expected.

https://MACHINENAME:7443 does not resolve successfully as ESRI Portal is using a self-signed cert on this port. In arcgis-enterprise-primary.json

"arcgis": { "version": "10.9", "run_as_user": "arcgisadmin", "run_as_password": "password", "configure_windows_firewall": true, "repository": { "archives": "C:\Software\Archives", "setups": "C:\Software\Setups" }, "iis": { "keystore_file": "C:\Software\Certificates\gis01v.pfx", "keystore_password": "password", "replace_https_binding": true },

gis01v.pfx is domain cert is successfully bind on IIS web server for https communication.

Ideally I would to use this domain cert in both ArcGIS Server and Portal for ArcGIS.

Is there a recipe that imports the domain cert into both ArcGIS Server and Portal for ArcGIS?

Generated at 2021-09-03 13:13:54 +0000 Mixlib::ShellOut::ShellCommandFailed: arcgis_enterprise_webadaptor[Configure Web Adaptor with Portal] (arcgis-enterprise::portal_wa line 22) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1' ---- Begin output of "C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\10.9\Tools\ConfigureWebAdaptor.exe" /m portal /w "https://MACHINENAME/portal/webadaptor" /g "https://MACHINENAME:7443" /u "portaladmin_user" /p "password" /r false ---- STDOUT: ERROR: Unable to connect to PortalURL : https://MACHINENAME:7443 STDERR:

Any suggestions on how I can resolve this issue?

cameronkroeker commented 2 years ago

Hello @makariw,

You can define the following attributes within your json file to import a ssl certificate into portal (7443) and server (6443):

https://github.com/Esri/arcgis-cookbook/tree/master/cookbooks/arcgis-enterprise#server

https://github.com/Esri/arcgis-cookbook/tree/master/cookbooks/arcgis-enterprise#portal

As for the error received, I recommend checking two things. First I would check to see what TLS settings are enabled in IIS. You can use a third part tool such as IIS Crypto. Perhaps its set to TLS v1.2 only, I have seen issues where the Web Adaptor silent registration tool fails because of this. Additionally, if you are setting a WebContextUrl property for portal, I recommend checking to ensure the FQDN of the WebContextUrl property is resolvable from both portal and web adaptor node.

Thanks, Cameron K.

makariw commented 2 years ago

Hi Cameron,

I am using arcgis-3.7.0 cookbooks and the json for the primary machine has the 

 "arcgis": {
        "version": "10.9",
        "run_as_user": "arcgis",
        "run_as_password": "Pa$$w0rdPa$$w0rd",
        "configure_windows_firewall": true,
        "repository": {
            "archives": "C:\\Software\\Archives",
            "setups": "C:\\Software\\Setups"
        },
        "iis": {
            "keystore_file": "C:\\Temp\\keystore.pfx",
            "keystore_password": "change.it",
            "replace_https_binding": true
        },
        "server": {
            "install_dir": "C:\\Program Files\\ArcGIS\\Server",
            "install_system_requirements": true,
            "private_url": "https://domain.com:6443/arcgis",
            "web_context_url": "https://domain.com/server",
            "admin_username": "siteadmin",
            "admin_password": "change.it",
            "authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Server.prvc",
            "directories_root": "\\\\FILESERVER\\arcgisserver",
            "log_dir": "C:\\arcgisserver\\logs",
            "log_level": "WARNING",
            "config_store_type": "FILESYSTEM",
            "config_store_connection_string": "\\\\FILESERVER\\arcgisserver\\config-store",
            "wa_name": "server",
            "system_properties": {
                "WebContextURL": "https://domain.com/server"
            }
        },
        "python": {
            "install_dir": "C:\\Python27"
        },
        "data_store": {
            "install_dir": "C:\\Program Files\\ArcGIS\\DataStore",
            "install_system_requirements": true,
            "data_dir": "C:\\arcgisdatastore",
            "preferredidentifier": "hostname",
            "types": "tileCache,relational",
            "tilecache": {
                "backup_type": "fs",
                "backup_location": "\\\\FILESERVER\\arcgisbackup\\tilecache"
            },
            "relational": {
                "backup_type": "fs",
                "backup_location": "\\\\FILESERVER\\arcgisbackup\\relational"
            }
        },
        "portal": {
            "install_dir": "C:\\Program Files\\ArcGIS\\Portal",
            "install_system_requirements": true,
            "admin_username": "siteadmin",
            "admin_password": "change.it",
            "admin_email": "admin@mydomain.com",
            "admin_full_name": "Administrator",
            "admin_description": "Initial account administrator",
            "security_question": "Your favorite ice cream flavor?",
            "security_question_answer": "bacon",
            "data_dir": "C:\\arcgisportal",
            "log_dir": "C:\\arcgisportal\\logs",
            "log_level": "WARNING",
            "content_store_type": "fileStore",
            "content_store_provider": "FileSystem",
            "content_store_connection_string": "\\\\FILESERVER\\arcgisportal\\content",
            "object_store": "",
            "authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Portal.json",
            "user_license_type_id": "",
            "wa_name": "portal",
            "system_properties": {
                "privatePortalURL": "https://domain.com:7443/arcgis",
                "WebContextURL": "https://domain.com/portal"
            }
        },
        "web_adaptor": {
            "admin_access": true,
            "reindex_portal_content": false
        }
    },
    "run_list": [
        "recipe[arcgis-enterprise::system]",
        "recipe[arcgis-enterprise::disable_loopback_check]",
        "recipe[esri-iis]",
        "recipe[arcgis-enterprise::install_portal]",
        "recipe[arcgis-enterprise::webstyles]",
        "recipe[arcgis-enterprise::portal]",
        "recipe[arcgis-enterprise::portal_wa]",
        "recipe[arcgis-enterprise::server]",
        "recipe[arcgis-enterprise::server_wa]",
        "recipe[arcgis-enterprise::datastore]",
        "recipe[arcgis-enterprise::federation]"
    ]
}

Where do set the SSL certs for both Portal and Server? Should I be using a different version cookbooks?

cameronkroeker commented 2 years ago

Thanks @makariw for providing the cookbook version and json file being used. You are using the latest\recommended cookbook and json file.

We can add the following attributes to the json file to import a ssl certificate into ArcGIS Server (6443):

Example:

"server": {
            "install_dir": "C:\\Program Files\\ArcGIS\\Server",
            "install_system_requirements": true,
            "private_url": "https://domain.com:6443/arcgis",
            "web_context_url": "https://domain.com/server",
            "admin_username": "siteadmin",
            "admin_password": "change.it",
            "authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Server.prvc",
            "directories_root": "\\\\FILESERVER\\arcgisserver",
            "log_dir": "C:\\arcgisserver\\logs",
            "log_level": "WARNING",
            "config_store_type": "FILESYSTEM",
            "config_store_connection_string": "\\\\FILESERVER\\arcgisserver\\config-store",
            "wa_name": "server",
            "system_properties": {
                "WebContextURL": "https://domain.com/server"
            },
            "keystore_file": "C:\\Temp\\keystore.pfx",
            "keystore_password": "change.it",
            "cert_alias": "domain.com"
        },

We can add the following attributes to the json file to import a ssl certificate into Portal for ArcGIS (7443):

Example:

"portal": {
            "install_dir": "C:\\Program Files\\ArcGIS\\Portal",
            "install_system_requirements": true,
            "admin_username": "siteadmin",
            "admin_password": "change.it",
            "admin_email": "admin@mydomain.com",
            "admin_full_name": "Administrator",
            "admin_description": "Initial account administrator",
            "security_question": "Your favorite ice cream flavor?",
            "security_question_answer": "bacon",
            "data_dir": "C:\\arcgisportal",
            "log_dir": "C:\\arcgisportal\\logs",
            "log_level": "WARNING",
            "content_store_type": "fileStore",
            "content_store_provider": "FileSystem",
            "content_store_connection_string": "\\\\FILESERVER\\arcgisportal\\content",
            "object_store": "",
            "authorization_file": "C:\\Software\\AuthorizationFiles\\10.9\\Portal.json",
            "user_license_type_id": "",
            "wa_name": "portal",
            "system_properties": {
                "privatePortalURL": "https://domain.com:7443/arcgis",
                "WebContextURL": "https://domain.com/portal"
            },
            "keystore_file": "C:\\Temp\\keystore.pfx",
            "keystore_password": "change.it",
            "cert_alias": "domain.com"
        },

One additional thing that could be causing the portal web adaptor registration to fail is the silent webadaptor config utility does a url validation check on either the portal privatePortalURL and/or portal WebContextURL. If this validation check fails then portal web adaptor registration will fail with a similar error that you are receiving.

For the portal privatePortalURL property are you specifying the internal hostname of the portal machine with port 7443 or using an internal load balancer?

For the portal WebContextURL property, are you specifying an external reverse proxy, load balancer, or web adaptor url?

It's very possible that the ArcGIS Web Adaptor silent configure tool is not able to validate either of those properties. One way to test this is to see if manually configuring the web adaptor succeeds via the web browser (the web browser tool does not do the same url validation check as the silent tool).

Can also try manually running the following command in Windows cmd (as an Administrator):

"C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\10.9\Tools\ConfigureWebAdaptor.exe" /m portal /w "https://MACHINENAME/portal/webadaptor" /g "https://MACHINENAME:7443" /u "portaladmin_user" /p "password" /r false

I suspect this command will fail. If it does then perhaps one workaround would be to temporarily add an etc/hosts entry pointing the web adaptor machine's ipv4 address to the FQDN of the WebContextURL. This may trick the tool and allow the url validation check to succeed.

Or if you don't want to add an etc/host entry then another option would be to temporarily remove the portal privatePortalURL and WebContextURL from portaladmin system properties (and json file), which will allow the web adaptor registration to complete. Once web adaptor is registered can put them back.

makariw commented 2 years ago

Hi,

Thanks for the feedback I will try this and let you know the results.

makariw commented 2 years ago

Hi Cameron,

I managed to get the install in the primary machine to complete successfully by setting the privatePortalURL to https://machinename:7443/arcgis and the WebContextURL to https://machinename/portal.

However, I still need to set the WebContextURL to the load balancer URL i.e. https://lb/portal as ESRI Portal will be access via the load balancer by our customers. What is the best way of doing this after running the instal?

On the primary machine I can successfully login into ESRI Portal from the Start menu i.e. Start > ArcGIS > ESRI Portal for ArcGIS. However, if I try to run ArcGIS Server Manager from Start > ArcGIS > ArcGIS Server Manager I get the following error "Invalid redirect_uri Error: 400". Is there a way round this issue?

It seems the only way I can run ArcGIS Server Manger on the primary machine is to go directly to https://primarymachinename:6443/arcgis.

I have also successfully run the install on the standby machine.

I have also hit a couple of issues on the standby machine though. Running ESRI Portal from the Start menu is fine. However, I get "Invalid redirect_uri Error: 400" when I try to run ArcGIS Server Manager from the Start menu.

Trying to run ArcGIS Server Manager by going directly to https://standbymachine:6443/arcgis does not work either. I get prompted for my credentials and after inputting then it hangs on "Please wait..." and never logs into ArcGIS Server Manager.

Any pointers on how I can fix these issues will be much appreciated?

makariw commented 2 years ago

Hi,

Any comments on the above?

cameronkroeker commented 2 years ago

Hi Cameron,

I managed to get the install in the primary machine to complete successfully by setting the privatePortalURL to https://machinename:7443/arcgis and the WebContextURL to https://machinename/portal.

However, I still need to set the WebContextURL to the load balancer URL i.e. https://lb/portal as ESRI Portal will be access via the load balancer by our customers. What is the best way of doing this after running the instal?

On the primary machine I can successfully login into ESRI Portal from the Start menu i.e. Start > ArcGIS > ESRI Portal for ArcGIS. However, if I try to run ArcGIS Server Manager from Start > ArcGIS > ArcGIS Server Manager I get the following error "Invalid redirect_uri Error: 400". Is there a way round this issue?

It seems the only way I can run ArcGIS Server Manger on the primary machine is to go directly to https://primarymachinename:6443/arcgis.

I have also successfully run the install on the standby machine.

I have also hit a couple of issues on the standby machine though. Running ESRI Portal from the Start menu is fine. However, I get "Invalid redirect_uri Error: 400" when I try to run ArcGIS Server Manager from the Start menu.

Trying to run ArcGIS Server Manager by going directly to https://standbymachine:6443/arcgis does not work either. I get prompted for my credentials and after inputting then it hangs on "Please wait..." and never logs into ArcGIS Server Manager.

Any pointers on how I can fix these issues will be much appreciated?

Hi @makariw,

I believe the issue is with the Web Adaptor command line registration tool. When WebContextURL property is set to https://lb/portal the web adaptor command line tool is likely doing a url check of some kind on the lb url which is failing. As a workaround perhaps could try adding a temporary etc/host entry (on the machine where the web adaptor is being registered) pointing the local ipv4 address to the lb dns alias that is set for WebContextURL. Once the registration of Web Adaptor is complete you should then be able to remove the etc/host entry.

As for the other error "Invalid redirect_uri Error: 400" when accessing ArcGIS Server Mgr, please check out the solution for Scenario 1. You will need to add any/all hostnames that are not listed in the redirect url list.

https://support.esri.com/en/technical-article/000015445

I believe the link from Start Menu refers to "https://localhost:6443/arcgis/manager", so the "Invalid redirect_uri Error: 400" is happening because "losthost" is not apart of the default redirect uri list.

And as for https://standbymachine:6443/arcgis not working it could be due to the following:

https://enterprise.arcgis.com/en/portal/latest/administer/windows/high-availability-in-arcgis-enterprise.htm#ESRI_SECTION1_1106A9998CC843A691DEFC03110F15B3

When you federate a highly available ArcGIS Server site with your ArcGIS Enterprise portal, set Administration URL to a URL that the portal can use to communicate with all servers in the site. This applies even when a URL is unavailable, such as a load balancer URL.

Also be aware that using a load balancer URL affects the way you connect to ArcGIS Server Manager. For example, if you federate using a load balancer URL, you must connect to Server Manager using the load balancer; you cannot use the default Server Manager URL of https://gisserver.domain.com:6443/arcgis/manager.

Thanks, Cameron K.

cameronkroeker commented 2 years ago

Hello @makariw,

I wanted to follow up to see if the information I provided in the previous post was helpful?

Also, as an FYI there were improvements made with the ArcGIS Web Adaptor command line registration tool at 10.9.1, so this situation can be avoided starting with 10.9.1+ and cookbook v3.8.0.

Thanks, Cameron K.