Skip To Content

Common problems and solutions

In this topic

This topic lists questions or issues that you might encounter when working with Portal for ArcGIS and suggests possible solutions. If you don't find the problem you're looking for, you can also search for articles on the Esri Support center website.

Installation

Upgrading

Administration

Publishing

Why does the setup prevent me from installing Portal for ArcGIS if the installation user has file handle limits of less than 65,535?

For the portal to run properly, the file handle limits for the installation user are required to be set to 65535. An installation diagnostics tool will check to validate whether these limits are set properly in the /etc/security/limits.conf file. If the limits are set incorrectly, the diagnostics check will fail.

There are soft and hard limits for file handles on Linux. To determine the limits, use the following commands:

  • Soft limit: ulimit -Sn
  • Hard limit: ulimit -Hn

To increase the soft and hard limits, you'll need to edit the /etc/security/limits.conf file with superuser access. For example, add two lines in the file as follows:

<Portal for ArcGIS installation user> soft nofile 65535

<Portal for ArcGIS installation user> hard nofile 65535

After making this change, you'll need to log out and log back in with the particular user for the new values to take effect. To verify that the limits have been modified appropriately, use the ulimit -Sn and ulimit -Hn commands as described above.

After upgrading, the portal website does not display correctly, displays an error message, or I can't log in. What's wrong?

Clear your browser's cache (including cookies). These errors are typically due to leftover information from the previous version of the website being cached in the browser. If you still can't log in, make sure you are using the initial administrator account or an account that has administrative privileges to your portal.

After upgrading, I don't see all of my items, groups, and users in my portal. What's going on?

After installing the software and specifying the initial administrator account, you're required to reindex your portal. This step completes the upgrade of your portal. Initially, you may not see all of your items, groups, and users because the reindex is not complete. Depending on the number of users and volume of content in your portal, it will take some time for the reindex to complete. For example, a small organization (hundreds of users and content items) running Portal for ArcGIS on a machine with 8 cores may take 15 minutes to reindex. Conversely, a large organization (tens of thousands of users and content items) running Portal for ArcGIS on a machine with 8 cores may take over 3 hours to reindex.

You can check the status of the reindex by following the steps below. When the store and index counts are equal, the reindex and upgrade is complete.

  1. Open the ArcGIS Portal Directory and sign in with the initial administrator account. The URL is formatted https://portal.domain.com:7443/arcgis/portaladmin.
  2. Click System > Indexer > Index Status.
  3. Refresh the page to obtain the latest status.

When I access the portal website after installing 10.3.1, I see a software authorization error stating that the number of registered members in the portal exceeds the maximum number that the portal has been licensed for. How do I resolve this issue?

In Portal for ArcGIS 10.2.1 and later versions, the portal's named user licensing model is enforced. You will no longer be able to add more members into your portal than what it is currently licensed for. If the number of members your portal is licensed for is exceeded at 10.3.1, you will see a software authorization error message when accessing the portal website with an account that has administrative privileges. Additionally, users will not be able to create new accounts and members without administrative privileges will not be able to sign in to the portal. See Enforcement of named user licensing to learn more about how to resolve these issues.

When attempting to create the initial administrator account when upgrading my portal, I receive the message There was an error creating your initial administrator account. How do I resolve this to complete the upgrade?

If you receive this error when creating the initial administrator account, information in the portal logs can help you resolve the issue. Often, this error may occur if network connectivity was temporarily lost when creating the account. To access the logs, browse to the logs directory and open the most recent log file (for example, <Portal for ArcGIS installation directory>/arcgisportal/logs/<machine name>/portal/portal-20141201.095803-8596-0.0.log). If necessary, you can share this information with Esri Support.

How do I configure Portal for ArcGIS to be highly available?

Portal for ArcGIS is configurable and supported in a highly available environment. For full instructions, see Configuring a highly available portal.

What is the purpose of the initial administrator account? Can I demote or delete it?

After you've installed Portal for ArcGIS and configured it for use, you can access the portal website. At this time, you need to provide the name, password, email, and identity question and answer for a new account that you will initially use to sign in to the website and administer your portal. This account is called the initial administrator account.

The initial administrator account user name and password are stored by Portal for ArcGIS. The initial administrator is not an operating system account, and it has no relation to the Portal for ArcGIS account. Later, you can specify other accounts as administrators, demote the initial administrator to a role with fewer privileges, or delete the initial administrator.

What is the purpose of the System Publisher account? When is it used? Can I delete it? Does it count as one of my named users?

When you first sign in to your portal, you'll notice there's already an account named System Publisher (system_publisher). When your portal is configured with a hosting server, the System Publisher account is used to geocode CSV files in the map viewer on behalf of portal users who do not have privileges to geocode addresses. For example, if an anonymous user drags and drops a CSV file into the map viewer, the geocoding of locations is performed by the System Publisher account on behalf of the user.

If your portal is not configured with a hosting server, the System Publisher account is not used. Instead, any geocoding is performed by the geocoding service you have configured for your portal. If credentials are required to use the geocoding service, users invoking a geocode must enter their credentials in the map viewer.

To disable anonymous users or members who do not have the appropriate privileges from geocoding items in the map viewer, you can delete this account. Once the account is deleted, only members who have the necessary privileges will be able to geocode items in the map viewer. Once the account is deleted, it cannot be recovered. See Manage members for full instructions on deleting the account.

The System Publisher account does not count as one of the named users in your organization. Any other account that you create or add to the portal will count as a named user.

How do I connect to ArcGIS Server after federating the server with my portal?

When you federate ArcGIS Server with your portal, the portal's security store controls all access to the server. The users and roles you previously used with ArcGIS Server are no longer valid for accessing the server; instead, you perform all connections to the server using portal accounts.

The only exception is the ArcGIS Server primary site administrator account. You can always log in to the ArcGIS Server Administrator Directory using this account if you connect directly through port 6080 or 6443. However, you cannot use this account to log in to ArcGIS Server Manager when the server is federated with your portal.

To learn more about how to connect to your server when it's federated with your portal, see Administering a federated server.

When attempting to federate an ArcGIS Server site with my portal, a message displays in the Add ArcGIS Server dialog box stating There was an error communicating with the server. Please check your URL and your credentials and try again.

You may encounter this error for the following reasons:

  • The Server URL or the Administrator URL you entered for the ArcGIS Server site is incorrect or unreachable. Verify the following:
    • If the ArcGIS Server site includes ArcGIS Web Adaptor, the Server URL entered is the Web Adaptor address, for example, http://webadaptor.domain.com/arcgis. If no Web Adaptor is present, the Server URL is the same as the Administrator URL, for example, http://gisserver.domain.com:6080/arcgis.
    • If your organization requires HTTPS for all communication, use https in the URL.
    • The URL includes the fully qualified domain name (FQDN) of the machine. The FQDN is required.
    • The communication protocol of the ArcGIS Server site has been updated to use HTTP and HTTPS or HTTPS only.
    • The communication protocol matches that of the portal. For example, if the portal requires HTTPS for all communication, ArcGIS Server should also be configured as HTTPS only. Conversely, if the portal does not require HTTPS, the server communication protocol should be HTTP and HTTPS.
    • If the ArcGIS Server site includes the Web Adaptor, the Web Adaptor must be reconfigured with ArcGIS Server after updating the site's communication protocol.
    • Your firewall allows communication between ArcGIS Server and your portal. For information on which specific ports to open, see Ports used by ArcGIS Server and Ports used by Portal for ArcGIS.
    • Web-tier authentication is disabled and anonymous access is enabled on the ArcGIS Server site. Although it may sound counterintuitive, this is necessary so your site is free to federate with the portal and read the portal's users and roles.
  • You incorrectly entered the Username or Password:
    • Specify the Username of the primary site administrator account that was used to initially log in to ArcGIS Server Manager and administer the server. If this account is disabled, you'll need to reenable it. No other account can be used.
    • Provide the Password of the primary site administrator account.

For more information, see Federating an ArcGIS Server site with your portal.

Can I rename the machine hosting Portal for ArcGIS?

No, this is not currently supported. If you rename the machine, your portal will be unavailable.

When I attempt to open the portal website in Internet Explorer, the website fails to load or a message is returned stating the website could not be displayed.

Be sure the host name in the portal website URL is listed as a trusted site in Internet Explorer. To add your portal's URL as a trusted site to Internet Explorer, open Internet Options. Trusted sites are added on the Security tab.

How do I configure Portal for ArcGIS with my organization's reverse proxy server?

To configure Portal for ArcGIS with a reverse proxy server, you'll need to provide some information to your portal about the proxy server. For full instructions, see Configuring a reverse proxy server with your portal.

Can I configure the same ArcGIS Web Adaptor to work with both ArcGIS Server and Portal for ArcGIS?

No. You cannot configure the Web Adaptor to work with both. You can only configure ArcGIS Web Adaptor to work solely with ArcGIS Server or Portal for ArcGIS.

If my portal uses enterprise groups, does the portal identity store update as soon as a new login is added to a group on my LDAP server?

No. If the enterprise account already exists in the portal and the enterprise group is linked to a portal group, the identity store refreshes when the new member logs in to the portal or the next time your portal identity store automatically refreshes, whichever occurs first. By default, the identity store updates each day at midnight. The portal administrator can alter the frequency and time the identity store refreshes using Update Identity Store to alter values for the membershipRefreshIntervalHours and membershipRefreshStartTime parameters.

If the enterprise account is not a member of the portal, adding the login to an enterprise group that is linked to a portal group does not automatically add the account to your portal; as the administrator, you don't want every login ever added to your LDAP server to automatically be added to your portal.

If my portal uses enterprise groups, are new enterprise groups automatically added to my portal when I add them to my LDAP server?

No. The portal administrator manually configures a Portal for ArcGIS group to use an enterprise group. When the administrator finishes configuring the portal group, any existing portal enterprise accounts that are members of the enterprise group automatically become members of the portal group.

If you use enterprise groups from an LDAP server, only logins in the group you specify are added to the portal group; members of nested groups are not. For example, if you specify a top-level enterprise group, only the logins that are existing portal members are added to the portal group; no logins from a nested group are included. You could, instead, specify a nested group. In that case, only logins in the nested group that are existing portal members are added to the portal group.

If my portal uses enterprise accounts and groups, what happens when a user is deleted from my LDAP server?

If the deleted enterprise user exists in the portal, the member is removed from any portal enterprise groups the next time the identity store refreshes (by default, that's each day at midnight). However, the member is not removed from the portal identity store. Since the corresponding enterprise account no longer exists, the member cannot log in to the portal, but the portal administrator must manually reassign any items or groups owned by the member and delete the account to free the portal license.

If my portal uses enterprise groups, what happens to the corresponding portal when an enterprise group is renamed or deleted from my LDAP server?

If the enterprise group is linked to a portal group, members are removed from the group the next time the portal identity store refreshes (either when each member logs in or at the scheduled identity store update time). Once members are removed, only the group owner or portal administrator can access the group. The portal administrator or group owner can either delete the group, or the portal administrator can reassign the portal group to a different enterprise group.

It takes a very long time for the portal map viewer to load in my web browser.

If you're using a reverse proxy server or load balancer with your portal to handle requests from the Internet, verify that the reverse proxy server or load balancer supports gzip encoding and is configured to allow the Accept-Encoding header. This header allows HTTP 1.1 responses to be compressed using gzip encoding. For example, if the header is allowed, a request to load the map viewer will return a compressed response of approximately 1.4MB to the browser. If the header is not allowed or ignored, the request will return an uncompressed response of approximately 6.8MB to the browser. If your network speed is slow, it may take a long time for the map viewer to load if responses are not compressed. It's highly recommended that you allow this header as part of your reverse proxy server configuration.

Thumbnails for newly created web maps are not generated or do not display correctly.

Users may encounter this problem if their web maps contain ArcGIS Server services that use HTTPS. If this is the case, check if the portal is configured with a print utility service from an ArcGIS Server site. The print service may be running on a machine that does not trust Certificate Authority (CA) signed certificates from the ArcGIS Server site providing the HTTPS services. Each machine running the print service will need to be configured to trust these CA certificates at the operating system level. See Enable HTTPS using a new CA-signed certificate for details on how to do this.

When I attempt to publish a hosted cached map, feature service, or scene service (tile layer, feature layer, or scene layer) to the portal, publishing fails with the message ERROR 001369: Failed to create the service. Failed to execute (PublishServiceDefinition). Failed to execute (Publish Portal Service).

If the name of the service you attempt to publish contains language characters that do not match the character set configured for the hosting server's managed database, publishing will fail. The language of the characters used in the service name must match the character set configured for the database.

To work around this issue, you can do the following:

  • Rename the service to use the same language characters used by the database.
  • Reconfigure the database to use a character set that will most commonly be used by publishers.

To determine the character set configured with your database, contact your system administrator. To learn more about how to configure your hosting server with a managed database, see Configuring a hosting server for your portal.

When enabling the Feature Access or Tiled Mapping capability while publishing a hosted service in ArcMap, I'm prompted with a security alert that requires me to verify a certificate.

Being prompted to verify a certificate in ArcMap when publishing a hosted service can be caused by one or both of the following:

  • ArcGIS Server is using a self-signed certificate. By default, the server comes preconfigured with a self-signed certificate, which allows the server to be initially tested and helps you quickly verify that your installation was successful. However, in almost all cases, an organization should request a certificate from a trusted certificate authority (CA) and configure the server to use it. This could be a domain certificate issued by your organization or a CA-signed certificate.
  • The Administration URL entered when federating ArcGIS Server with your portal uses HTTP instead of HTTPS, for example, http://gisserver.domain.com:6080/arcgis. Alternatively, you can enable administrative access on your ArcGIS Web Adaptor and specify the Web Adaptor's URL as the Administration URL to help alleviate any certificate prompts.

To learn more, see Security best practices.

When I attempt to publish a scene layer from ArcGIS Pro, publishing succeeds, but the scene cache fails to create, and I receive the following message: Error 001784: Unable to connect to the database used for scene caches (unauthorized). Failed to execute (Manage Scene Cache).

Scene layers cache data in the ArcGIS Data Store scene tile cache database. The ArcGIS Server scene caching tools communicate with this database through HTTP, and authenticate using cookies. The cookie policies set on your ArcGIS Server Windows machine may block the cookies. In some cases, this is the default setting on Windows operating systems.

The scene caching tools use an Internet URL to connect to the scene cache database first. In this case, Internet policies apply. If the Internet connection fails, the tools attempt to connect using an intranet URL, in which case intranet policies apply. To verify the URLs used by the tools are correctly set up to access the scene cache database, confirm the ArcGIS Data Store host names are correct, and update cookie policies on the ArcGIS Server machines.

  1. Open a web browser and log in to your ArcGIS Server site's Administrator Directory. Log in using ArcGIS Server administrator credentials.
  2. Go to data > items > nosqlDatabases > /nosqlDatabases/AGSDataStore_nosqldb_<database name> > REST.
  3. Take note of the hostname and unqHostname properties. These are the fully qualified domain name and unqualified domain names of the scene cache database. You will use these later when updating cookie policies.
  4. Log in to each ArcGIS Server machine using the ArcGIS Server Account. This is the account you created to run ArcGIS Server processes when you installed ArcGIS Server.
  5. Start the machine's Internet Options. This can be accessed through Internet Explorer or your server's Control Panel.
  6. Click the Security tab and do one of the following:
    • Choose Local intranet and make sure the security level set for it does not block cookies for intranet sites. If it does, change the security level to allow cookies from intranet sites.
      Note:

      You could change the security policy for the Internet instead; however, this is not recommended, as it would allow your machine to accept cookies from any site on the Internet.

    • Choose Trusted sites > Sites and add the URL for the fully qualified host name of the scene cache database; for example, datastore.domain.com. Also add the URL of the unqualified host name as a trusted site, for example, datastore.
  7. Click OK to apply your changes and close Internet Options.
  8. Restart ArcGIS Server.
  9. Repeat these steps for every ArcGIS Server machine in your site.

When I attempt to publish a scene layer from ArcGIS Pro, publishing succeeds, but the scene cache fails to create, and I receive the following message: Error 001785: Unable to connect to the database used for scene caches (unauthorized). Failed to execute (Manage Scene Cache).

Scene layers cache data in the ArcGIS Data Store scene layer tile cache database. The ArcGIS Server scene caching tools communicate with this database through HTTP, and authenticate using cookies. The cookie policies set on your ArcGIS Server Windows machine may block the cookies. In some cases, this is the default setting on Windows operating systems.

The scene caching tools use an Internet URL to connect to the scene cache database first. In this case, Internet policies apply. If the Internet connection fails, the tools attempt to connect using an intranet URL, in which case intranet policies apply. To verify the URLs used by the tools are correctly set up to access the scene cache database, confirm the ArcGIS Data Store host names are correct, and update cookie policies on the ArcGIS Server machines.

  1. Log in to each ArcGIS Server machine using the ArcGIS Server Account. This is the account you created to run ArcGIS Server processes when you installed ArcGIS Server.
  2. Start the machine's Internet Options. This can be accessed through Internet Explorer or your server's Control Panel.
  3. Click the Advanced tab and look for the Security section.
  4. Uncheck the Check for server certificate revocation option.
  5. Click OK to apply your changes and close Internet Options.
  6. Restart ArcGIS Server.
  7. Repeat these steps for every ArcGIS Server machine in your site.