store credentials in AGOL, access in Collector

danbecker · ‎01-15-2015

Very simple question, I would like to know if anyone has success taking a webmap offline in Collect that contains a feature service with stored credentials?

1. publish a feature service on your 10.2.2+ server, make sure to enable Sync in the feature service capabilities.

2. secure it with "traditional" GIS-tier authentication (ArcGIS Server built-in username/password) that uses tokens

3. Login to your organizational ArcGIS.com account

4. In 1 of the folders under "my content", click add item / from the web

5. Enter the REST endpoint URL to your feature service, then hit Tab key

6. Enter valid credentials to access the service

7. make sure to select "Store credentials with service item. Do not prompt for authentication"

8. Enter name, tags, ect... then Add Item

9. If login box pops up, enter valid service credentials again.

10. Add this item to a new webmap and save webmap as TEST

11. Share both the feature service item and webmap with a group or your orginization

12. Login to your organization using Collector for ArcGIS

13. click the cloud download button on the TEST webmap you saved in step #10

During the map download in Collector, do you get an error? My testing says YES.

Why? Because you have credentials stored with the item you added to ArcGIS Online.

Follow exact same workflow, but this time, on step #7 select "Do not store credentials with service item. Prompt for authentication everytime."

During the map download in Collector, do you get an error? My testing says NO. Because credentials are not stored with the feature service item.

DanielSmith · ‎04-15-2015

Same here. We add the service at the top level as well.

danbecker · ‎04-15-2015

I think AGOL can req. Tokens fine, it works when creds. Aren't stored.

I think its cert. Related or in the way AGOL used or accesses the creds.

Do you by chance have a wildcard cert? I.e. *.yourdomain.com in the CN field??

DanielSmith · ‎04-15-2015

No. But I will double check.

EDIT: Confirmed no wildcard cert

DeniseKing1 · ‎04-16-2015

Dan and Daniel,

Please email me (dking@esri.com) so that I can help you submit a support case and aide in resolving this issue. Apps Group wants to diagnose the issue as we have successfully used the Collector app using ArcGIS Serer built-in user token security in the past.

Thank you,

Denise

Technical Lead - Apps/Mobile

Esri Support Services

NicolasGIS · ‎08-03-2015

Exactly the same problem with :

- ArcGIS server 10.3.1

- HTTPS only

- GIS-tier authentication

- Feature service with sync enabled

I cannot download the map if credentials are stored in the feature layer but it works if they are not stored.

When credentials are stored, it is important to notice that I can see layers in Collector but not download them.

The error message in Collector is :

"The requested URL was not found on this server".

When checking the feature properties, URL of the layer follows the following pattern :

https://utility.arcgis.com/usrsvcs/servers/......someId...../rest/services/folderName/ServiceName/Fe...

and I have also an error 403 :

You do not have permissions to access this resource or perform this operation.

Any progress since April ?

Cheers,

Nicolas

DanielSmith · ‎08-03-2015

[ BUG-000087818: When security for virtual directories is enabled at the server admin endpoint, stor...

danbecker · ‎08-03-2015

In working with ESRI support to diagnose the problem, I was advised to disable security for virtual directories via the server admin endpoint. Security/Config/Update, uncheck virtural directories security enabled.

Then you can store credentials with service item in AGOL and it will work with Collector.

Since I am unaware of how this effects overall security of the service, I opted to leave the feature enabled, and simply advise our field staff to login when prompted. It was relatively easy to create a new ArcGIS Server username/pw to have the same credentials as their AGOL named user account.

DanielSmith · ‎08-03-2015

At least the severity has been bumped to High and it appears to be Open and Assigned. Wonder if we'll have to wait for 10.3.2 to patch the security hole or if a hot fix/patch will be released.

NicolasGIS · ‎08-03-2015

Thanks for your answers and for the bug report.

Indeed, it works for me as well when security for virtual directories is disabled. But it is taking a longer time than usual.

Though, I still have the 403 error when getting the URL written is the map layers item.

Good to know that they are working on it.