store credentials in AGOL, access in Collector

danbecker · ‎01-15-2015

Very simple question, I would like to know if anyone has success taking a webmap offline in Collect that contains a feature service with stored credentials?

1. publish a feature service on your 10.2.2+ server, make sure to enable Sync in the feature service capabilities.

2. secure it with "traditional" GIS-tier authentication (ArcGIS Server built-in username/password) that uses tokens

3. Login to your organizational ArcGIS.com account

4. In 1 of the folders under "my content", click add item / from the web

5. Enter the REST endpoint URL to your feature service, then hit Tab key

6. Enter valid credentials to access the service

7. make sure to select "Store credentials with service item. Do not prompt for authentication"

8. Enter name, tags, ect... then Add Item

9. If login box pops up, enter valid service credentials again.

10. Add this item to a new webmap and save webmap as TEST

11. Share both the feature service item and webmap with a group or your orginization

12. Login to your organization using Collector for ArcGIS

13. click the cloud download button on the TEST webmap you saved in step #10

During the map download in Collector, do you get an error? My testing says YES.

Why? Because you have credentials stored with the item you added to ArcGIS Online.

Follow exact same workflow, but this time, on step #7 select "Do not store credentials with service item. Prompt for authentication everytime."

During the map download in Collector, do you get an error? My testing says NO. Because credentials are not stored with the feature service item.

DanielSmith · ‎04-15-2015

Have you explored adding tokens you generate to the service URL?

danbecker · ‎04-15-2015

no, mainly due to security risk. The token would expire anyway, prompting for re-auth via credentials box, which would be the same as not storing credentials.

It would be easiest to install on-premis portal and federate our server, but then we'd have to buy 20+ named user accounts as federating renders the unlimited usernames possible on server...useless.

DanielSmith · ‎04-15-2015

unless you have workgroup level licenses then you are bound to 10 Portal users even if you wanna buy them.

danbecker · ‎04-15-2015

we have server standard workgroup

DanielSmith · ‎04-15-2015

From my understanding and from what the Esri rep told us, with federated server standard workgroup you can only have 10 portal users. Which would be due to the max number of concurrent connections allowed by SQL Server Express...

DanielSmith · ‎04-15-2015

Do you require HTTPS for all AGOL traffic? Not trying to pry just trying to figure this out

danbecker · ‎04-15-2015

yes.

arcgis server administrator page: protocol - HTTPS only

DanielSmith · ‎04-15-2015

and in AGOL too? just trying to figure out if its a security chain issue by chance.

Seems to be an issue with how AGOL is requesting the tokens. agree?

If i may, what did Russell Roberts have to say outside of the thread? Just trying to get all the info i can about the issue to communicate it to my higher ups.

RussRoberts · ‎04-15-2015

If you are trying to take a layer offline coming from your internal server with embedded credentials you need to have the URL for the service at the top level and not for the individual layer. Sample: Points/FeatureServer is what should be used - not Points/FeatureServer/0. If you have the second option being used in the item then the app cannot call create replica and it will fail to download.

Hope this helps you out.

Russ

danbecker · ‎04-15-2015

Yes, I've been correctly adding the services in AGOL. I always add them without /0 regardless of if I store credentials or not.

If no credentials stored the replica is successfully created and all is well. Stored credentials doesn't work.