WebAdaptor authentication and CORS do not work

DuarteCarreira · ‎08-18-2017

So, I'm starting to think CORS support is broken in JS API 3.21, or does not support using a webadaptor with windows integrated authentication.

Has anyone have a setup like this working? If so can you share how you made it work? Is there any documentation about this combo?

I will try to be clear and concise with the details.

Server: windows 2012, with webadaptor with windows authentication, arcgis server 10.5, authentication web tier, windows authentication; webadaptor with windows authentication on.

Web app with esri js 3.21, with windows authentication (same domain).

My web app works fine. There's a first request that fails with 401:

https://server/webadaptor/rest/info?f=json

Then requests to my mapservice work fine, and use callback=dojo.io.script.jsonp_dojoIoScript1._jsonpCallback in the querystring.

When I add my server to esriConfig.defaults.io.corsEnabledServers, things break.

There is only 1 request to my mapservice.

It fails with 401 Unauthorized. And nothing else is loaded from the webadaptor:

https://server/webadaptor/rest/services/servicename/MapServer?f=json&dpi=96&transparent=true&format=...

As you can see, no callback is used.

Request headers:

Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:pt-PT,pt;q=0.8,en-US;q=0.6,en;q=0.4,es;q=0.2
Cache-Control:no-cache
Connection:keep-alive
Content-Type:application/x-www-form-urlencoded
Host:sigims2.edia.pt
Origin:https://dev1.domain.pt
Pragma:no-cache
Referer:https://dev1.domain.pt/
User-Agent:Mozilla/5.0 (

Response Headers:

Access-Control-Allow-Origin:*
Content-Length:1293
Content-Type:text/html
Date:Fri, 18 Aug 2017 14:54:17 GMT
Server:Microsoft-IIS/7.5
WWW-Authenticate:Negotiate
WWW-Authenticate:NTLM
X-Powered-By:ASP.NET

Request:

Request URL:https://server/webadaptor/rest/services/mapservice/MapServer?f=json&dpi=96&transparent=true&format=p...
Request Method:GET
Status Code:401 Unauthorized
Remote Address:x.x.x.x:443
Referrer Policy:unsafe-url

IIS Log says no username is given in the request, and the error is 401 2 5 2.

Any help much appreciated.

Cheers,

Duarte

DuarteCarreira · ‎08-21-2017

Ok, so it is solved! Weekends work wonders in our brains!

It is not a bug. But a bit of quirkiness from the js api...

So, you have to set esriConfig.defaults.io.useCors = "with-credentials", or it won't work.

Only then does this take effect:

esriConfig.defaults.io.corsEnabledServers.push({host:"https://server.domain.com", withCredentials: true});

If you set default.io.useCors=true, it breaks. If you set it to false, it works again. Go figure.

It is what it is. Personally I would have done it simpler: If useCors=true, and then if corsEnabledServers have the option withCredentials set to true, just use it. I suppose it would break some apps, so a 3rd option was added to useCors. I guess...

So, thanks again for your help. And I hope this will be useful to someone else.

View solution in original post

DavidColey · ‎08-18-2017

Duarte - the only things you need in your map.js should be the

"esri/config" in your require, the esriConfig alias in the require's function and the corsEnabledServers property and push method in your ready function:

esriConfig.defaults.io.corsEnabledServers.push("webadaptorname.domain.com");

Whether you are using server authentication or token authentication shouldn't matter

DuarteCarreira · ‎08-18-2017

David, that's what I thought, but that's not what is happening. If I push my server to corsEnabledServers, the app breaks.

My reasoning is it's related to authentication, because I can use public mapservices without problems (another webadaptor without authentication on the same server).

DuarteCarreira · ‎08-18-2017

Well, I more inclined to a bug in js api 3.21...

I have used code from GitHub - monsur/test-cors.org: A tool to help test CORS requests , and I get everything to work - I can make requests to a windows authenticated mapservice, using cors with credentials option.

Same thing using esri js 3.21 gives 401 error.

If I set

esriConfig.defaults.io.corsEnabledServers.push(

{host:"https://arcgisserver.domain.com",withCredentials: true});

I get a 401 error with the following error message:

"No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://dev.domain.com' is therefore not allowed access. The response had HTTP status code 401."

Doing the same thing with test-cors code, works fine.

So... anyone up to reproduce this?

DavidColey · ‎08-18-2017

Sorry Duarte, I too am set up with token-based authentication at 10.4.1 - when we go to 10.5.x or 10.6 with Portal and Federate we may to with Windows auth, don't know yet.

ThomasSolow · ‎08-18-2017

Have you looked at this? Securing web services with Integrated Windows Authentication—Installation Guides (10.5) | ArcGIS Ent...

I don't have any experience with anything other than arcgis server token authentication unfortunately so I'm not sure how to troubleshoot this issue.

Off the top of my head, when I look at your request to the MapServer that fails, nothing seems to be getting passed in that would enable authentication. When you tried the open source example that worked, what did your requests look like?

DuarteCarreira · ‎08-21-2017

Hi Thomas. Yes I have been searching through documentation for additional info. For now, I think configuration is ok. Also, I can access the mapservice by using its url in the browser - authentication kicks in - a login popup appears - after which I can access the mapservice.

I too noticed the absence of authentication headers when using esri js. I am going to confirm the headers that go through when using the test-cors.org code.

Thank you all for taking a look.

DuarteCarreira · ‎08-21-2017