ArcGIS Server Directories root: "Access Denied" - but only with Cinc

[thk70]

The Directories root (and config store/logs) are residing on a fileshare. If I install with Cinc it errors with "error 5 - access denied" but if I install by hand using "Configure ArcGIS Server Account" utility it works fine. The AD service account running ArcGIS Server (and my own interactive logged-in account) has Full permissions on the fileshare.

AGS server and fileserver Windows 2022 (VM) AGS 10.9.1 Cinc client 16.16.13 Esri cookbooks 4.0

From log:

directory[E:\arcgisserver\arcgisserver-hosting] action create (arcgis-enterprise::server line 90)

================================================================================
Error executing action `create` on resource 'directory[E:\arcgisserver\arcgisserver-hosting\]'
================================================================================

Chef::Exceptions::Win32APIError
-------------------------------
Access is denied.
---- Begin Win32 API output ----
System Error Code: 5
System Error Message: Access is denied.
---- End Win32 API output ----

Resource Declaration:
---------------------
# In E:/chef_cache/cookbooks/arcgis-enterprise/recipes/server.rb

 90: directory node['arcgis']['server']['directories_root'] do
 91:   owner node['arcgis']['run_as_user']
 92:   if node['platform'] != 'windows'
 93:     mode '0700'
 94:   end
 95:   recursive true

Compiled Resource:
------------------
# Declared in E:/chef_cache/cookbooks/arcgis-enterprise/recipes/server.rb:90:in `from_file'

directory("E:\arcgisserver\arcgisserver-hosting\") do
  action [:create]
  default_guard_interpreter :default
  declared_type :directory
  cookbook_name "arcgis-enterprise"
  recipe_name "server"
  recursive true
  owner "D007\\S_GIS_DEV_APP_ARCGIS"
  group nil
  mode nil
  not_if { #code block }
end

System Info:
------------
chef_version=16.16.13
platform=windows
platform_version=10.0.20348
ruby=ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x64-mingw32]
program_name=C:/cinc-project/cinc/bin/cinc-client
executable=C:/cinc-project/cinc/bin/cinc-client

The same error happens if I rerun Cinc - after successfully install ArcGIS Server manually in the same destination folders. Any Thoughts?

[thk70]

I probably should mention I'm running the Cinc script as Administrator (Run as Administrator) (Elevated). My account is member of "Administrators" group - The AGS server account is not member of any local groups of cause.

[cameronkroeker]

Hi @thk70,

Could you attach your json file (scrub out sensitive information such as passwords and machine names, etc)? If config-store and directories are a file share then you will want to pass in the file share UNC path not a local path. For example:

https://github.com/Esri/arcgis-cookbook/blob/237b0e39fca0a3b5988b997430bf7beb3637e039/templates/arcgis-server/11.0/windows/arcgis-server.json#L19

https://github.com/Esri/arcgis-cookbook/blob/237b0e39fca0a3b5988b997430bf7beb3637e039/templates/arcgis-server/11.0/windows/arcgis-server.json#L22

Otherwise if local paths, such as E:\\arcgisserver\\arcgisserver-hosting is specified then the server.rb recipe will attempt to create it if it doesn't exist:

https://github.com/Esri/arcgis-cookbook/blob/237b0e39fca0a3b5988b997430bf7beb3637e039/cookbooks/arcgis-enterprise/recipes/server.rb#L90-L99

Thanks, Cameron K.

[thk70]

Hi @cameronkroeker

In further investigation I found out that the Cinc client ( or rather the interactive user running the installation) needs at least Modify Permissions on the parent container (folder): E:\arcgisserver Which it didn't had - Both containers for the directories root E:\arcgisserver E:\arcgisserver\arcgisserver-hosting are pre-created, but the Serviceuser and the interactive user only has Full Permissions on the subfolder called arcgisserver-hosting.

This is not an issue running the manual installation. Only the Cinc installation requires permissions on all folders in the path. Even if they are already created. I would suggest that's a prevailing behaviour for the Cinc client.

However. I think the manual installation wizard requires the directories root is already created before running the installation. And Cinc is probably trying to create them in any case.

I found a workaround with "temporarily giving permissions during installation" which I think can pass the sec-office.

Thanks, Thomas