Web Adaptor Config - Unable to register with Alias (The web adaptor configuration URL has to be accessed from the machine hosting the web adaptor)

[pfoppe]

I'm attempting a base enterprise build across 3 servers and have an alias applied through the SSL certificate (see attached redacted .json file):

• Machine0 - Portal, IIS, 2 webadaptors (1 for portal, 1 for server)
• Machine1 - Portal data store (relational)
• Machine2 - Federated/Hosted ArcGIS Server

The PSDSC execution indicates it fails on server federation:

[]PowerShell DSC resource ArcGIS_Federation failed to execute Test-TargetResource functionality with error message: Unable to retrieve Portal Token for 'REDACTED' from Deployment 'www.example.com' []The SendConfigurationApply function did not succeed.

But upon further inspection, the server web-adaptor is not registered with the back-end server (federated/hosting server), and the "ArcGISConfigure" log indicates the web-adaptor registration failed:

[MACHINE0]: [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.domain] https://www.example.com/portal/webadaptor [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.domain] Output of execution:- The web adaptor configuration URL has to be accessed from the machine hosting the web adaptor. [MACHINE0]: LCM: [ End Set ] [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.domain] in 0.9150 seconds.

And if I login to the IIS server with the web-adaptor, and access the webadaptor on the FQDN, I have the same issue. I am able to register the web-adaptor manually by changing the URL in the local server browser to its hostname.

Any thoughts on this? Thanks.

PS - There is a Web-Application Firewall in front of this which is the termination point for the public FQDN (www.example.com) where the SSL certificate is loaded to.

1061 Install ArcGIS Enterprise Base with Alias REDACTED.txt

[spitzerr]

Hi,

can you please clarify some things?

• first error message indicates there are problems in getting a token from the portal.
• second error message indicates the webadaptor could not be configured for PORTAL
• you write the WA is not configured for SERVER could you please check, if one of the webadaptors has been configured or if both are failing.

Furthermore the DSC is using the commandline tool for registering the webadaptor. could you uncomment these two lines (https://github.com/Esri/arcgis-powershell-dsc/blob/037b14af2d058f54c96a0f46f4facd9baf77579f/Modules/ArcGIS/DSCResources/ArcGIS_WebAdaptor/ArcGIS_WebAdaptor.psm1#L140-L141) and check if the parameters are correct?

can you register the webadaptor manually using the commandline tool?

[pfoppe]

Hi @spitzerr,

Sorry about the confusion. After re-looking at the logs, the webadaptor for both portal AND server failed, I just copied out the failure messages for portal. Here is the failure for the server -

[MACHINE0]: [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] https://www.example.com/arcgishosted/webadaptor [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] Output of execution:- The web adaptor configuration URL has to be accessed from the machine hosting the web adaptor. [MACHINE0]: LCM: [ End Set ] [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] in 1.3350 seconds.

I think the PSDSC output messaging ("First Error") is actually a subsequent error to the problem with the web-adaptor not registering correctly. PSDSC cannot generate a token because the webadaptor is not setup correctly...

I un-commented the 2 lines you mentioned and re-attempted:

[MACHINE0]: [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] https://www.example.com/arcgishosted/webadaptor [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] Executing C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\Tools\ConfigureWebAdaptor.exe with arguments /m server /w https://www.example.com/arcgishosted/webadaptor /g https://MACHINE2.DOMAIN:6443 /u REDACTED /p REDACTED /a true [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\Tools\ConfigureWebAdaptor.exe /m server /w https://www.example.com/arcgishosted/webadaptor /g https://MACHINE2.DOMAIN:6443 /u REDACTED /p REDACTED /a true [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] Output of execution:- The web adaptor configuration URL has to be accessed from the machine hosting the web adaptor. [MACHINE0]: LCM: [ End Set ] [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] in 1.2130 seconds. [MACHINE0]: LCM: [ End Resource ] [[ArcGIS_WebAdaptor]ConfigureServerMACHINE0.DOMAIN] [MACHINE0]: LCM: [ Start Resource ] [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] [MACHINE0]: LCM: [ Start Test ] [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] [MACHINE0]: LCM: [ End Test ] [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] in 0.6490 seconds. [MACHINE0]: LCM: [ Start Set ] [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] https://www.example.com/portal/webadaptor [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] Executing C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\Tools\ConfigureWebAdaptor.exe with arguments /m portal /w https://www.example.com/portal/webadaptor /g https://MACHINE0.DOMAIN:7443 /u REDACTED /p REDACTED [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] C:\Program Files (x86)\Common Files\ArcGIS\WebAdaptor\IIS\Tools\ConfigureWebAdaptor.exe /m portal /w https://www.example.com/portal/webadaptor /g https://MACHINE0.DOMAIN:7443 /u REDACTED /p REDACTED [MACHINE0]: [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] Output of execution:- The web adaptor configuration URL has to be accessed from the machine hosting the web adaptor. [MACHINE0]: LCM: [ End Set ] [[ArcGIS_WebAdaptor]ConfigurePortalMACHINE0.DOMAIN] in 0.8600 seconds.

I also tried to run the ConfigureWebAdaptor.exe from an ADMIN command prompt on the web-adaptor hosting server (MACHINE0) and received the same error.

If I change the /w parameter from www.example.com to localhost it succeeds.

[cameronkroeker]

@pfoppe

"The web adaptor configuration URL has to be accessed from the machine hosting the web adaptor"

For the above error, this is an ArcGIS Web Adaptor security feature, so that publicly accessible WA's can't be configured from any location.

As a workaround try temporarily adding an etc/hosts entry on the IIS Server. In the hosts file point the internal IP of the IIS Server to the DNS Alias.

For example, in the C:\Windows\System32\drivers\etc\hosts:

#<internal IP of the IIS Server> <dns.alias.com>
10.29.77.65    alias.domain.com

This should "trick" the WA into thinking the DNS Alias is its local hostname. Then as a test launch a web browser from the IIS Server and configure the WA using https://alias.domain.com/portal/webadaptor and/or https://alias.domain.com/server/webadaptor. And as long as DNS is configured correctly this entry can be removed after the WA registration completes.

Keep in mind though that if this hosts entry is present during Portal/AGS site creation then Portal/Server (7443, 6443) will use the DNS alias as its machine name.

Also, I notice in the json file its pointing to a .cer file for the ssl certificate. This actually needs to be a .pfx since .cer does not contain the full chain or private key of the certificate.

[pfoppe]

Hi @cameronkroeker,

Thanks for the response! I think the local etc\hosts entry did the trick!

There are a few complexities on this public deployment (compared to our internal deployments) and I think the real issue is that our alias (www.example.com) is an A Record pointing to a publicly accessible IP address to our Web-Application Firewall (WAF). And since that public IP is not 'local' the web-adaptor is failing to register. I had to acquire a corporate CA signed machine level SSL certificate with the 'www.example.com' SAN and yes it is a .cer file but I am manually applying it to IIS after the fact. Unfortunately I need to specify a certificate in the .JSON to get the alias applied correctly. Our internal CA only support a CSR workflow where they provide us a .cer and I have an enhancement request in to support a .cer file - https://github.com/Esri/arcgis-powershell-dsc/issues/169

After discussing with our network engineers, our internal deployments use a CNAME record where an internal alias (ex - internal.example.com) resolves to a machine name, which resolves to an IP address. And so the web-adaptor registration is succeeding, since the CNAME record on internal deployments ultimately resolve to the same IP address as the local NIC.

So I think the major takeaway here is that the ArcGIS Powershell DSC module only supports a CNAME 'Alias' and A record if it resolves to the same IP address as the web-adaptor server. If there is a CNAME or A Record that resolves to an upstream device (like a firewall or other load balanced server), then an etc/hosts configuration is needed to succeed (pre-requisite).

So... Are you interested in flagging this as an enhancement request to:

Consider supporting a CNAME or A Record resolving to a different device by changing ConfigureWebAdaptor.exe /w switch from https://alias/context/webadaptor to https://localhost/context/webadaptor

Thanks for the consideration! I've taken some notes on our internal configuration guides to reflect the need for the etc\hosts fix for these public deployments. Appreciate the insight and support on this blocking issue.

[spitzerr]

I'd like to have this enhancement as well. But I think its not only done by changing the commandline arguments as the webadaptor then registers with localhost. It is furthermore necessary to update the webadaptor url via admin/rest call to have a clean installation. I guess it will work correctly as the webcontext url is set for portal and the arcgis server does not mind the webadaptor url at this point of time. But nevertheless I think this url should be changed according to the alias-url.