+ Reply to Thread
Results 1 to 7 of 7

Thread: Physical HTTP load balancer, ArcGIS for Server, and Active Directory

  1. #1
    Ghassan Karwchan
    Join Date
    Aug 2012
    Posts
    74
    Points
    2
    Answers Provided
    1


    0

    Default Physical HTTP load balancer, ArcGIS for Server, and Active Directory

    Our company want to upgrade the ArcGIS to 10.1.
    And we are using Active Directory Security on the server.
    So, from what I know that we have to use Web Adapter of 10.1 if we are using Active directory in order to authenticate the users.
    But at the same time, our current setup is using load balancer, which is a physical Http router that is used as load balancer.

    Is there a way to use the physical balancer and authenticate with the Windows logged in users?

    Our IT are insisting on using the load balancer, because we cannot trust how good is the web adapter as load balancer.

  2. #2
    Bubba Hey
    Join Date
    Jul 2012
    Posts
    600
    Points
    145
    Answers Provided
    17


    0

    Default Re: Physical HTTP load balancer, ArcGIS for Server, and Active Directory

    I will let someone else answer the load balance question, but you don't need web adaptor for windows or LDAP/Active directory authentication. Web adaptor is only needed if you want external users to have access to your pages.

    See:

    Configuring ArcGIS Server security
    http://resources.arcgis.com/en/help/...000005qz000000

  3. #3
    Bubba Hey
    Join Date
    Jul 2012
    Posts
    600
    Points
    145
    Answers Provided
    17


    0

    Default Re: Physical HTTP load balancer, ArcGIS for Server, and Active Directory

    More info:
    Inside an ArcGIS Server site

    http://resources.arcgis.com/en/help/...000003p4000000

  4. #4
    Ghassan Karwchan
    Join Date
    Aug 2012
    Posts
    74
    Points
    2
    Answers Provided
    1


    0

    Default Re: Physical HTTP load balancer, ArcGIS for Server, and Active Directory

    Quote Originally Posted by bubbahey25 View Post
    I will let someone else answer the load balance question, but you don't need web adaptor for windows or LDAP/Active directory authentication. Web adaptor is only needed if you want external users to have access to your pages.

    See:

    Configuring ArcGIS Server security
    http://resources.arcgis.com/en/help/...000005qz000000
    I am not sure if this correct.

    From the same document it is clear in the paragraph about web server authentication

    Web server authentication requires installing the ArcGIS Web Adaptor on your web server. When web server authentication is configured, ArcGIS Server delegates authentication to the Web Adaptor. Once a user is successfully authenticated, the ArcGIS Web Adaptor encrypts and appends the user information to the request and forwards it to ArcGIS Server. ArcGIS Server receives and decrypts the user information to verify that the user has the authorization to access the requested GIS web service.

  5. #5
    Ghassan Karwchan
    Join Date
    Aug 2012
    Posts
    74
    Points
    2
    Answers Provided
    1


    0

    Default Re: Physical HTTP load balancer, ArcGIS for Server, and Active Directory

    For more information about my question

    I want to use LDAP/Active Directory as user/role data store
    and I want to use Integrated Windows Authentication to authenticate users.

    And I found this paragraph

    Integrated Windows Authentication is not supported over the Internet and requires the installation and configuration of the ArcGIS Web Adaptor (IIS). For information, see About the ArcGIS Web Adaptor. The Web Adaptor performs authentication, while ArcGIS Server authorizes access to the web services.


    From this document: http://resources.arcgis.com/en/help/...0000517000000/

    So, my question is
    If I want to use Integrated windows authentication , and at the same time, the company is using Load balancer to blanace the request, and the load balancer is just a hardware box. How can I do that?
    The load balancer that is used is: http://www.f5.com/glossary/load-balancer/

  6. #6
    christopher fricke
    Join Date
    Sep 2011
    Posts
    9
    Points
    1
    Answers Provided
    1


    0

    Default Re: Physical HTTP load balancer, ArcGIS for Server, and Active Directory

    I just got done setting something up like this.

    You should be okay for integrated windows authentication on IIS through the load balancer. You just need to make sure that the SSL certificate installed in IIS on each background server is using the hostname of the load balancer.

    In the below scenario, SSL Certs will need to be for LB1


    AGS 1--\
    AGS 2---- LB1
    AGS 3--/


    Currently Active Directory / IIS authentication is incredibly finicky at 10.1 sp1. Some of these things are supposed to be fixed at 10 sp2, however here are a few troubleshooting suggestions:
    • If you start getting 500 error messages like "Unable to process request. ArcGIS Server Site is not configured. Check with your ArcGIS Server administrator for resolution; an ArcGIS Server site is created or machines are added to an existing site using ArcGIS Server Manager." This can be caused by ArcGIS server getting out of sync with your AD.
      1. Set Role storage back to ArcGIS Server
      2. Restart ArcGIS server
      3. Set Role storage to AD with Token Authentication
      4. Restart ArcGIS server
      5. Set role storage to AD and set IIS authentication
      6. Restart server

    • If you are getting random 400 messages when accessing the rest endpoint, but can still log into manager. This could be an issue with your user being in too many AD groups. This results in the size of the requests being too large for ArcGIS Server to handle.
      1. Open C:\Program Files\ArcGIS\Server\framework\runtime\tomcat\conf\server.xml
      2. Look for this text at the very bottom of the file:

        <Connector SSLEnabled="true" clientAuth="false" keyAlias="SelfSignedCertificate" keystoreFile="/opt/esri/3135_upgrade/arcgis/server/usr/config-store/machines/RHDAILY.ESRI.COM/arcgis.keystore" keystorePass="<blah blah blah>" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS"/>
      3. Insert maxHttpHeaderSize="65535" as an attribute of the XML so that it looks like this:

        <Connector SSLEnabled="true" clientAuth="false" keyAlias="SelfSignedCertificate" keystoreFile="/opt/esri/3135_upgrade/arcgis/server/usr/config-store/machines/RHDAILY.ESRI.COM/arcgis.keystore" keystorePass="<blah blah blah>" maxThreads="150" port="6443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" maxHttpHeaderSize="65535"/>
    • You may have to modify the WebContextURL - http://servicesbeta2.esri.com/arcgis...roperties.html
    • Also check out http://support.esri.com/en/knowledge...s/detail/40694 for more info

  7. #7
    Ghassan Karwchan
    Join Date
    Aug 2012
    Posts
    74
    Points
    2
    Answers Provided
    1


    0

    Default Re: Physical HTTP load balancer, ArcGIS for Server, and Active Directory

    Wow
    Thanks Christopher
    Very detailed answer

    I will check it out and ask you if I have questions

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts