store credentials in AGOL, access in Collector

9975
28
01-15-2015 01:52 PM
danbecker
Occasional Contributor III

Very simple question, I would like to know if anyone has success taking a webmap offline in Collect that contains a feature service with stored credentials?

1. publish a feature service on your 10.2.2+ server, make sure to enable Sync in the feature service capabilities.

2. secure it with "traditional" GIS-tier authentication (ArcGIS Server built-in username/password) that uses tokens

3. Login to your organizational ArcGIS.com account

4. In 1 of the folders under "my content", click add item / from the web

5. Enter the REST endpoint URL to your feature service, then hit Tab key

6. Enter valid credentials to access the service

7. make sure to select "Store credentials with service item. Do not prompt for authentication"

8. Enter name, tags, ect... then Add Item

9. If login box pops up, enter valid service credentials again.

10. Add this item to a new webmap and save webmap as TEST

11. Share both the feature service item and webmap with a group or your orginization

12. Login to your organization using Collector for ArcGIS

13. click the cloud download button on the TEST webmap you saved in step #10

During the map download in Collector, do you get an error? My testing says YES.

Why? Because you have credentials stored with the item you added to ArcGIS Online.

Follow exact same workflow, but this time, on step #7 select "Do not store credentials with service item. Prompt for authentication everytime."

During the map download in Collector, do you get an error? My testing says NO. Because credentials are not stored with the feature service item.

Tags (2)
28 Replies
RussRoberts
Esri Notable Contributor

Are you seeing this on iOS or Android? Have you looked at the server debug logs to see if anything is showing up there?

Thanks

Russ

0 Kudos
danbecker
Occasional Contributor III

nothing in arcgis server logs.

Yes, this is happening on both iOS and android collector apps.

Going a step backward, there is a way to "test" if the secured service will work in Collector, prior to adding the service item to a webmap.

In the above workflow, right after step #9, you will be at the item details page, that summarizes the service item you just added to ArcGIS Online. At the top of the page, just to the right of the thumbnail image, click on the "Feature Service" hyperlink.

If you get Error 403 you do not have permission, then this feature service layer WILL NOT be downloadable in Collector. Conversely, if you are properly redirected to the Feature Service REST endpoint page, then the service layer WILL be downloadable in Collector.

Again, the behavior of the Error 403 page, and subsequently not being able to download the layer in Collector are BOTH related to storing credentials with the layer when adding it to ArcGIS Online.

This bug, or lack of documentation is causing us issues. All field crews have to remember, both their ArcGIS Server AND ArcGIS Online credentials. Not to mention the fact you're continually typing in credentials every time you try and access the secured service.

RussRoberts
Esri Notable Contributor

I tested this out with my 10.2.2 server with Collector Android 10.2.7 using the owner of the item to download the layer and then an account of a user that has access to the item through a group and both were able to download the service with no errors. 

When you are adding the layer as a proxied item in AGOL you need to use the top level of the service and not the individual layer level. This is what it should look like:

http://servername.esri.com/arcgis/rest/securedfsname/FeatureServer

If you create the proxied item with the URL for the individual layer like /FeatureServer/0 when any app tries to access the Create Replica capability the app cannot gain access because the proxied item only exposes the layer level of the service to app and not the top level.

Russ

danbecker
Occasional Contributor III

So you added a secured feat. Service and stored credentials, then downloaded map in collector?

Can you msg me, I will give you my rest URL and credentials to try.

I have been trying with the top level URL, copied directly from browser.

I also reprpduced the feature service link displaying 403 error when I used esri's sample server6, but since that service wasn't sync enabled couldn't test collector download.

0 Kudos
RussRoberts
Esri Notable Contributor

sent you a GeoNet msg.

0 Kudos
DanielSmith
Occasional Contributor III

We are dealing with this exact issue. What was the correct solution Russell Roberts

0 Kudos
danbecker
Occasional Contributor III

unfortunately, I can still report that we are continuing to have this problem after the Collector 10.3 update.

I was told by an ESRI tech. that the problem was that our SSL cert installed on our GIS Server was NOT in the list of trusted CA's on the AGOL server. The tech. gave me the names of 2 SSL providers that he knew were trusted, so we purchased a SSL cert. from one of them and installed it.

The new SSL cert. and 10.3 release of collector did not solve the problem.

I called/emailed ESRI tech. support and asked that the case be re-opened for eval. and am awaiting their response.

I added a feat. service with credentials stored --> result in failed to download map in Collector.

I added the same feat. service with NO stored credentials --> result in successful map download in Collector.

Both server and Collector are version 10.3

DanielSmith
Occasional Contributor III

Is your server federated with Portal?

0 Kudos
danbecker
Occasional Contributor III

No federated server.

We secure our services using using ArcGIS Server built-in users/roles.

We do not use Portal for ArcGIS. We are using ArcGIS Online Organization account as our portal.