English

Bug: Token Service may not use fully qualified domain name

Description

**This bug has been fixed at ArcGIS 9.3 Service Pack 1.**

The Token Service introduced at ArcGIS Server 9.3 may be used to authenticate clients to a GIS service using the Internet (Web service) connection method. This enables clients to access secured GIS services. The Token Service in ArcGIS Server for the Microsoft .NET Framework is automatically enabled when needed, and most client applications automatically obtain and use tokens when needed. The Token Service is enabled when the ArcGIS Server Manager user selects a location for users in the Security wizard, and the location is one of these options: Microsoft SQL Server, a custom provider, or Windows users with SQL Server roles (with the Token Service enabled).

The URL for the Token Service may not include the fully qualified domain name (FQDN) when it is enabled in Manager. For example, if the server name is gisweb, the Token Service may be set to https://gisweb/arcgis/tokens/, rather than include the domain name such as, https://gisweb.example.com/arcgis/tokens/.

The URL format is important for organizations that expose the GIS services to the Internet. Clients on the Internet need to use a fully qualified domain name to access servers across the Internet.

Cause

This issue occurs when Manager is run locally on the Web server where ArcGIS Server is installed. Since Manager is typically run with a http://localhost/arcgis/Manager address, the client's URL is not used to obtain the server name for the Token Service. Instead, the machine name is used for the Token Service. If the security wizard in Manager is used from a browser not running on the server, and the FQDN is used to load Manager, then this problem will not occur; the FQDN will be used in the Token Service.

Workaround

A workaround may be necessary if the Token Service is enabled, if the organization exposes secure services to clients on the Internet and if the users configured in Manager use any of the following providers:

· SQL Server
· Custom provider
· Windows users with SQL Server

To verify that the Token Service uses a local machine name, use a text editor to open the web.config file in the C:\Inetpub\wwwroot\ArcGIS\tokens directory (this location will be different if the ArcGIS Server Web applications are installed to a non-default location). Find the setting for TokenServiceURL in this file. If this setting uses just the machine name and Internet clients will access the secured services, follow one of the workarounds below. The first option is the recommended approach.

  • Option 1: Configure security from within a browser running on a machine different from the server where Manager is installed. This can be done even if security has already been configured.

    (a) Open Manager in a browser running on a machine where Manager is not installed. Be sure to use the fully qualified domain name for the server. An example would be http://gisweb.example.com/arcgis/manager.

    (b) After logging in to Manager, click the Security tab, then click Settings. In the settings panel, click Configure...

    (c) Use the wizard to configure security for the user and role location as desired. If previously configured, the same settings can be used again.

    (d) Finish the wizard to save the settings. The Token Service will now use the fully qualified domain name.

  • Option 2: If Manager cannot be run on a computer different from where it is installed, manually edit the configuration files. Note that three files must be edited for proper functioning.

    (a) With a text editor or IDE such as Visual Studio, open the web.config file in C:\Inetpub\wwwroot\ArcGIS\Tokens (adjust the location if the ArcGIS Server Web applications are installed to a non-default location).

    (b) In the <appSettings> section of web.config, change the URL in the TokenServiceURL to include the fully qualified domain name. For example, change:

    <key="TokenServiceURL" value="https://machinename/ArcGIS/tokens/" />

    to:

    <key="TokenServiceURL" value="https://machinename.domain.com/ArcGIS/tokens/" />

    where machinename is the name of the Web server, and 'machinename.domain.com' is the fully-qualified domain name of the server. Note that the Token Service URL uses https in order to securely transmit usernames and passwords (see the ArcGIS Server Help for information on this requirement). Save the file.

    (c) Repeat the previous two steps for the web.config files for C:\Inetpub\wwwroot\ArcGIS\Rest and C:\Inetpub\wwwroot\ArcGIS\Services. Save each file. No restart of the Web server is required.

    (d) Test the Token Service for correct functioning by connecting to secured services. The SOAP services (/Services) can be tested with ArcGIS Desktop or a Web ADF application, by creating a new connection with a valid username and password. Test the REST services by opening the Services Directory (http://<server.domain.com>/arcgis/rest) and clicking Log In. Finally, test the /Tokens application with the get-token page at https://<server.domain.com>/arcgis/tokens/gettoken.html. If Desktop or ADF can be used to successfully connect, view secured services with the Services Directory, and get a token with the get-token page, then the Token Service is configured correctly.