https://community.esri.com/t5/arcgis-enterprise-portal-questions/windows-auth-arcgis-server-access-is-left-open/m-p/523092#M7218 <HTML><HEAD></HEAD><BODY><P>So, it seems federated Server security is handled by Portal. So no, rest end points shouldn't be public. Should be protected by portal's security, IWA or otherwise.</P><P></P><P>Couldn't find any reference to server REST api endpoints changing, other than the tokens url, which changes to portal.</P><P></P><P>I figure&nbsp;public js api web apps to keep having access must use "the" proxy with included credentials.</P><P>This bread and butter kind of stuff is really not clear or easy to find. I can get more info on high availability scenarios than on simpler things.</P><P></P><P>Maybe it's&nbsp; just me, but I find docs very confusing, spread over many, many seemingly unrelated pages. I still can't figure a simple, to the point, conclusion of how IWA/security works... I can get a step-by-step to configure it but can't get a good picture of what it causes...</P><P></P><P></P><P>So on to testing in a vm the whole thing... hours and hours of fun await.</P></BODY></HTML> Thu, 28 Dec 2017 18:36:36 GMT DuarteCarreira 2017-12-28T18:36:36Z https://community.esri.com/t5/arcgis-enterprise-portal-questions/windows-auth-arcgis-server-access-is-left-open/m-p/523091#M7217 <HTML><HEAD></HEAD><BODY><P>I'm looking at security models in Portal + Server. I'm interested in keeping my server with integrated windows authentication (IWA).</P><P>Instructions say to disable server webadaptor security before joining the portal:</P><P><A class="link-titled" href="http://server.arcgis.com/en/portal/latest/administer/windows/use-integrated-windows-authentication-with-your-portal.htm" title="http://server.arcgis.com/en/portal/latest/administer/windows/use-integrated-windows-authentication-with-your-portal.htm">Use Integrated Windows Authentication with your portal—Portal for ArcGIS (10.5.x) | ArcGIS Enterprise</A>&nbsp;</P><P></P><P>My question is: in the end will access be open (anonymous) to server rest api endpoints?</P><P></P><P>Thanks.</P></BODY></HTML> Thu, 28 Dec 2017 10:34:38 GMT https://community.esri.com/t5/arcgis-enterprise-portal-questions/windows-auth-arcgis-server-access-is-left-open/m-p/523091#M7217 DuarteCarreira 2017-12-28T10:34:38Z https://community.esri.com/t5/arcgis-enterprise-portal-questions/windows-auth-arcgis-server-access-is-left-open/m-p/523092#M7218 <HTML><HEAD></HEAD><BODY><P>So, it seems federated Server security is handled by Portal. So no, rest end points shouldn't be public. Should be protected by portal's security, IWA or otherwise.</P><P></P><P>Couldn't find any reference to server REST api endpoints changing, other than the tokens url, which changes to portal.</P><P></P><P>I figure&nbsp;public js api web apps to keep having access must use "the" proxy with included credentials.</P><P>This bread and butter kind of stuff is really not clear or easy to find. I can get more info on high availability scenarios than on simpler things.</P><P></P><P>Maybe it's&nbsp; just me, but I find docs very confusing, spread over many, many seemingly unrelated pages. I still can't figure a simple, to the point, conclusion of how IWA/security works... I can get a step-by-step to configure it but can't get a good picture of what it causes...</P><P></P><P></P><P>So on to testing in a vm the whole thing... hours and hours of fun await.</P></BODY></HTML> Thu, 28 Dec 2017 18:36:36 GMT https://community.esri.com/t5/arcgis-enterprise-portal-questions/windows-auth-arcgis-server-access-is-left-open/m-p/523092#M7218 DuarteCarreira 2017-12-28T18:36:36Z