ArcGIS Online Support for Web Tier Authentication

5700
6
Jump to solution
11-25-2015 02:58 AM
AaronFindlay
New Contributor III

Recently I noticed that that ArcGIS Online Documentation has been updated to include support for ArcGIS Server Services secured with Web Tier Authentication. As per below:

ArcGIS Server web services—ArcGIS Online Help | ArcGIS

Secure services

ArcGIS Online supports ArcGIS Server authentication, including web-tier authentication such as Integrated Windows Authentication (IWA) and a public key infrastructure (PKI),  for adding and accessing secure services. ........

The map viewer, Web AppBuilder, and the configurable apps support editing feature services secured with web-tier authentication. To take advantage of this support, administrators must configure trusted servers that allow ArcGIS Online to automatically pass through credentials.

This is welcome news however I have not been able to take advantage of this new functionality.

Obviously an ArcGIS Server secured with Web Tier Authentication and published to the Internet can have quiet complex configuration.

Is any more detailed documentation available other than the what is referenced above?

Has anyone had any luck getting ArcGIS Online to accept ArcGIS Server Services secured with Web Tier Authentication working?

My Scenario:

The ArcGIS Server 10.3.1 Web Adapter (IIS) is secured with SSL, has CORS enabled and is publically accessible while ArcGIS Online Trusted Servers has been configured with the Web Adapters public address.

The ArcGIS Server Service is currently actively used in several ArcGIS SharePoint Web Part's accessible externally and works without issue using NTLM Pass Through Authentication when accessed from Internet Explorer on Domain Machines. The environment is working.

If adding the ArcGIS Server Service secured with Web Tier Authentication using NTLM the following messages are received:

As a Item to My Content:

Error Service '' does not exist or is inaccessible.

Directly to a Web Map:

Error, The layer, Service Name, cannot be added to the map.

Via the Services View In: ArcGIS Online map viewer option :

The Map Service is added and features are displayed however the following message is displayed:

Editing, Layers -  Feature Service Name - Layer Name

seem to be on an internal network and are not accessible to ArcGIS.com. Thus, editing will be disabled on these layers.

Screen Shots Attached

Unfortunately, all these messages are very similar or the same as prior to ArcGIS Online supporting Web Tier Authentication.

Has anyone had any luck getting this new support for Web Tier Authentication working?

Any assistance and or learnings would be greatly appreciated.

Aaron

1 Solution

Accepted Solutions
ChrisWhitmore
Esri Regular Contributor

Hi Aaron, Andrew,

Thanks for the solid feedback. For the issues you're seeing, it's best to contact Esri Technical Support - they'll be able to help troubleshoot. These types of issues can be quite tricky (many pieces with this).

Regarding saving the credentials with web tier authentication, ArcGIS online does not store the credentials - it's all handled at the browser (i.e., web) level. ArcGIS Online allows for your particular web tier security implementation to bubble through, transparently to AGOL; when you are prompted to authenticate, you are entering credentials directly to your service. Typically, the browser will store the credentials for that session but that depends on the browser and any particular configurations that could affect the behavior (browser security settings for ex maybe). This is a bit different than token based authentication - in this case, AGOL acts as an intermediary, storing the credentials and proxying requests to your server with the stored credentials. A bit of a different model. Sorry for the confusion in doc on this point. We'll clarify that credentials are not stored with the added item when the secured service uses web tier authentication.

Thanks,

Chris

ArcGIS Online Team

View solution in original post

6 Replies
deleted-user-AYsXjhkrwuAA
New Contributor III

Hi Aaron

I have the same issue, but do get a little further than you.

Before using in ArcGIS Online the ArcGIS Server must be CORS enabled, including if necessary adding your ArcGIS Online Organization url (e.g. https://myorganisation.maps.arcgis.com) to the allowed host names in the ArcGIS Server Admin Directory.

Once that has been setup I can add the service directly to a web map with editing enabled, however I still cannot add the feature service as an Item which stores it's credentials.

Whenever I try to add our web-tier authenticated service through the 'Add Item..' dialogue, AGOL tries to authenticate with a token rather than asking for, or to save the credentials.  I don't understand why AGOL isn't seeing this as a web-tier authenticated service?

Also you can try adding your ArcGIS Server to the trusted hosts, this in theory allows AGOL to save and send credentials for web tier authentication, but in practice it doesn't seem to work.

Andrew

0 Kudos
AaronFindlay
New Contributor III

Hi Andrew,

I managed to get ArcGIS Online Web Maps configured to allow editing my ArcGIS Server Services secured with Web-Tier Authentication. In my case the issue was that CORS was enabled by default on the server and once I removed my manual configuration for CORS I was able to add the services to ArcGIS Online without issue.

Unfortunately however as with your experience credentials are not able to be saved when adding ArcGIS Server Services secured with Web-Tier Authentication as an Item to ArcGIS Online. When completing this process the service is added successfully but authentication is completed transparently via NTLM from the browser. The resulting ArcGIS Online Service works seamlessly for Domain Users on Domain Machines with Browsers configured for pass through authentication against the ArcGIS Server. This really is a positive step forward and does allow our organization to consider using ArcGIS Online as a Web Client for our ArcGIS Server however any other configuration results in a number of authentication prompts and is therefore unusable for public access or when only ArcGIS Online authentication is desired.

My experience is that currently ArcGIS Online does not support saving credentials using the Add Item method in ArcGIS Online against ArcGIS Server Services secured with Web-Tier Authentication. The documentation does not explicitly say that it is supported but it definitely suggests that it is, or is ambiguous at the least.

Not sure what my next steps will be, would love to here from someone who has manged to get ArcGIS Online to Save Credentials for ArcGIS Server Services secured with Web-Tier Authentication or have ESRTI confirm that currently it is not supported. Likely need to raise this formally.

ChrisWhitmore
Esri Regular Contributor

Hi Aaron, Andrew,

Thanks for the solid feedback. For the issues you're seeing, it's best to contact Esri Technical Support - they'll be able to help troubleshoot. These types of issues can be quite tricky (many pieces with this).

Regarding saving the credentials with web tier authentication, ArcGIS online does not store the credentials - it's all handled at the browser (i.e., web) level. ArcGIS Online allows for your particular web tier security implementation to bubble through, transparently to AGOL; when you are prompted to authenticate, you are entering credentials directly to your service. Typically, the browser will store the credentials for that session but that depends on the browser and any particular configurations that could affect the behavior (browser security settings for ex maybe). This is a bit different than token based authentication - in this case, AGOL acts as an intermediary, storing the credentials and proxying requests to your server with the stored credentials. A bit of a different model. Sorry for the confusion in doc on this point. We'll clarify that credentials are not stored with the added item when the secured service uses web tier authentication.

Thanks,

Chris

ArcGIS Online Team

AaronFindlay
New Contributor III

Hi Chris,

Thankyou for providing clarification to this issue.

Can I enquire it there are any plans to implement a model within ArcGIS Online that will support storing credentials for ArcGIS Server Services secured with Web-Tier Authentication?

Being able to store credentials within ArcGIS Online when using ArcGIS Server Services secured with Web-Tier Authentication is essential to achieve a number of important and highly valuable types of functionality, especially when trying to provide secure access to organizational data stored within ArcGIS Server via ArcGIS Online.

I understand that that each authentication model is different and has its own pro's and cons and complexities however ideally I would like to think that Web-Tier Authentication will be treated equally to Token Based Services within ArcGIS Online with regard to development, functionality and support.

Thanks again for your valuable input to this query.

Sincerely

Aaron

0 Kudos
ChrisWhitmore
Esri Regular Contributor

Hi Aaron,

Sorry for the delayed response. In re to

Can I enquire it there are any plans to implement a model within ArcGIS Online that will support storing credentials for ArcGIS Server Services secured with Web-Tier Authentication?

It's something we're looking into. Though, I don't have an ETA at this time on when the functionality would be available. Feel free to send me an email at cwhitmore@esri.com if you want to discuss further (or would like to communicate your specific config / requirements in more detail).

Thanks for the feedback,

Chris

dmacq
by
New Contributor III

Hey Andrew

Can you explain this step, please?

Before using in ArcGIS Online the ArcGIS Server must be CORS enabled, including if necessary adding your ArcGIS Online Organization url (e.g. https://myorganisation.maps.arcgis.com) to the allowed host names in the ArcGIS Server Admin Directory.

If I click the link, it takes me to the help section for enabling/disabling access to the services directory. I can't find anything on adding allowed hosts. Thanks!

0 Kudos