Android ArcGIS Collector App Cannot Authenticate with Windows Active Directory

11385
13
Jump to solution
05-07-2014 09:41 AM
DeanPokrajac
New Contributor
Android ArcGIS Collector App cannot authenticate with ArcGIS Server secured service Windows Active Directory users. The login form appears, but credentials do not work when entered and the login form reappears. iOS ArcGIS Collector App is able to authenticate with ArcGIS Server secured services and Windows Active Directory users just fine. Is this a known bug?
Tags (2)
1 Solution

Accepted Solutions
GISSupport3
Regular Contributor

OK, I have had a small win.

The issue was Apple and Android required the credentials to be supplied differently.

Apple -> username

Android -> UsernamE@DOMAIN

And even if it wasn't the issue it (currently) seems to work for me.

Thanks

View solution in original post

13 Replies
GISSupport3
Regular Contributor

I also am faced by this issue.

Has anyone resolved / have an update?

PS Login worked on an iPad and not an iPhone. Failed on three different Android devices.

Thanks

0 Kudos
GISSupport3
Regular Contributor

OK, I have had a small win.

The issue was Apple and Android required the credentials to be supplied differently.

Apple -> username

Android -> UsernamE@DOMAIN

And even if it wasn't the issue it (currently) seems to work for me.

Thanks

AmosWachanga
New Contributor II

Had the exact same problem on various Android devices...but following your solution, it WORKED!

Android -> UsernamE@DOMAIN

Thanks

GISSupport3
Regular Contributor

G'day Amos!

Just a small tweak ... our names in AD are (were) not standardised.

We sometimes need a user to connect to Portal (with Integrated Windows Authentication) to see the account name being used. Some users needed to be username@DOMAIN (and combinations of) though Android needs the domain and iOS doesn't.

FrankPotempa
Occasional Contributor

Hmm, cant seem to get it to work on our side. Im using the latest version of Portal 10.3 and Collector 10.2.7.

Interesting thing is we have ADFS hooked in and I can login to the application with the domain\user account, but upon getting prompted for the feature service credentials I tried many derivatives such as user\domain(.net and .com), domain\user and none reconcile. I see errors in the logs such as;

Failed to compute the privilege for the user 'user@.....net'. null

However this same account can access/edit the same feature service in Portal maps and iOS Collector.

I believe I had this working  at 10.2.2 and 10.2.5.

thankx

Frank

0 Kudos
GISSupport3
Regular Contributor

Does the feature service appear in My Content?

0 Kudos
FrankPotempa
Occasional Contributor

yes the feature service shows up in Portal content if added as a item, as well as in a map made in portal when added from web or from items, additionally it works in iOS Collector without issue. In the ArcGIS server logs Im not seeing any denials of service. I do have some 443 errors in the IIS logs related to token for this particular feature however that would make sense if the login credentials are not working. I cant imagine its our configuration however possibly since this is the newest setup with 10.3 for Portal and server inside using ADFS/ AD security for collector access and token for feature service access.

0 Kudos
GISSupport3
Regular Contributor

Clutching at straws here ... sounds more like something to log with your local ESRI support

- Any user account doesn't work with Android?

- The Server and Portal are federated?

- The services and maps where upgraded to 10.3 or made in 10.3

0 Kudos
FrankPotempa
Occasional Contributor

Sorry to keep you waiting. It is suspenseful. So after multiple troubleshooting avenues including a support ticket to ESRI a bug was identified and a work-around was provided. The bug was just opened on Jan 23;

[ BUG-000084681 : Unable to authenticate feature service in Collector for Android when the service is using token authentication and Portal is using Active Directory Federation Service (ADFS). ]

The issue lies within the Collector code. Collector has some code that will parse the username for a backslash and parse it out as a domain\username if it has one. So basically, what is happening is that when we enter 'domain\user' as the username, it is then being parsed into a UserCredential object with 'domain' and username, without including the domain. For some reason, this still allows a token to be generated, but the token is invalid because the feature layer service doesn't know the 'user', it knows 'domain\user'.

Work around
A work around to this issue is to use the following username to log in 'domain\domain\user'. This will cause the first 'domain\' to be parsed off and set as the domain, leaving the remaining username as 'domain\user' which will allow the token to be generated and the service authenticate. It's important to note that you only need to use this variation when authenticating the services on Androids.

Although Im happy that I have a resolution to allow my users to use/ test the app it is kinda hokey and doesn't pass without question from my team and users. I'm waiting on some clarification from Tech support on the fix approach and release schedule.

Frank