We have a Feature Service secured with HTTP Basic Auth (Web-Tier authentication) and we need to publish this service in ArcGIS Online for editing. The service is accesible via SSL with valid certificate. But here comes the trouble...
1) When adding the service to the map, ArcGIS Online asks for credentials and displays the service correctly. Unfortunatelly at the same time we get an error stating that the service is not accessible for ArcGIS.com application and cannot be edited. Looking into the communication I've found the problem is caused by ArcGIS Online using a proxy which cannot access our service http://organization.maps.arcgis.com/sharing/proxy?https://ourservice. Fiddler says it returns the http 502 error - Bad Gateway.
2) According to the documentation (Configure security settings—ArcGIS Online Help | ArcGIS ), this is expected behavior and Trusted Servers setting should be used to achieve this. AGOL is supposed to store credentials for those servers and pass them through the proxy, am I right? But when we add our domain to the trusted servers list, ArcGIS Online stops asking for credentials at all and we cannot even add the service to the map. AGOL only says the service cannot be added with no additional details.
We have CORS enabled on the server (it returns Access-Control-Allow-Origin: organization.maps.arcgis.com) and we've tried Chrome and IE 11, but with no luck. Is there something else that needs to be configured?