pfoppe

Edit public facing feature services on arcgis.com using web-tier auth - DOES NOT WORK

Discussion created by pfoppe on Jun 20, 2014
Latest reply on Aug 11, 2017 by pfoppe
We have public facing web-services with the 'feature access' capability enabled.  Operations include create, update, delete (and geometry updates).  We are also attempting various offline capabilities using the newly offered 'sync' operation.  We are unable to get any of this to work using web-tier authentication (NTLM, Kerberos,Http Basic, etc).  The public facing web-services are configured similar to the Multiple firewalls with reverse proxy and Web Adaptor in a perimeter network on the ArcGIS server help documentation:


  • web-tier authentication

  • User store: windows domain

  • role store: built-in

  • web-adaptor server sitting in our DMZ

  • GIS Site sitting in our internal network

  • Reverse proxy communication from DMZ to internal network. 

  • Web-app Firewalls (WAF) in front of and behind the web-adaptor server in the perimeter DMZ environment



on the web-adaptor server we have deployed two web adaptors to Supporting a mix of public and private services.  One web-adaptor is deployed over both port 80 and 443 but allows strictly anonymous access (for consuming and unauthenticated access).  The second web-adaptor we have anonymous access disabled and have enabled Integrated Windows Auth (IWA) using both kerberos and NTLM as providers.  We have also tested using HTTP Basic. 

If we add feature service content to an arcgis online map, it tells us that its an internal only service and editing is disabled.  The services are accessible from the dirty internet.  It appears that arcgis.com map executes a request to the service info page (https://www.myserver.com/arcgisauth/rest/info?f=json) and also tries to proxy the request like so:

Request URL:https://www.arcgis.com/sharing/proxy?https://www.myserver.com/arcgisauth/rest/services/FeatureServices/MyService/FeatureServer/0?f=json
Request Method:POST
Status Code:504 Gateway Timeout


Both of those fail because the public facing server returns an HTTP Error code 401 with the 'www-authenticate' headers as the options the client has available to authentication.  We have tried Kerberos, NTLM, and HTTP Basic.  It appears that the arcgis.com map ignores he 'www-authenticate' header and just disables the editing capabilities rather than attempting to obtain the user credentials. 

We can successfully configure the public facing web-server to use GIS Token based authentication (anonymous enabled and IWA disabled on the web-adaptor server), but that security configuration is really not ideal for our customer base. 

Is this a known limitation?  Is there something we are doing wrong?  I would have expected web-tier authenticated services to have editable capabilities if users supplied their credentials.

Thanks for any help/guidance!

Outcomes