Access federated MapServer from Portal

Ganael_Jatteau · ‎05-19-2021

Hi,

I use a federated Arcgis Server in an Portal and I do see all the services appearing in the content directory of the portal. I noticed that the service url for each service points directly to the Arcgis Server (ex: https://arcgisserver/arcgis/rest/services/myservice/MapServer), is it normal ?

Then I have created an application in the portal. I use this app to do app login to get an authentication token.

Ex: https://SERVER/portal/sharing/rest/oauth2/token?client_id=CLIENTIDgrant_type=client_credentials&client_secret=CLIENT_SECRET

The /token works fine. However, if I use the token I got to query my Arcgis Service (ex: https://SERVER/arcgis/rest/services/SERVICE/MapServer?f=json&token=...), I got an invalid token error.

Is there something specific to do so that I can access the MapServer with a token from the portal ?

Thanks for your help!

Todd_Metzler · ‎05-19-2021

Hello,

Check:

1. Server and portal certificates. Are they CA root, intermediate and host? If there is an issue here, setting your Portal and Server logging to debug should reveal.

2. Are you using Fully Qualified Domain Name (FQDN) for your private portal and server URLs in federation?

3. Do you allow admin access through your server web adaptor?

3. Your app. What account are you using to generate token? Depending on how you generate the token, that might also have to be used for query server. This is also a short term token so check that your short term token settings match you desired workflow.

Todd

Ganael_Jatteau · ‎05-21-2021

Hi Todd,

Thanks for your reply. I had the chance to test on an environment where all certificates are setup correctly.

I think the problem is specific to the "App credentials" authentification method. The doc says this method works only to access "ready to use services". When accessing an hosted content for example, the Arcgis Server logs say that JSONObject["username"] is missing when reading the token.

However this is not an issue with Arcgis Online where app credentials allow access to any types of contents.

Do you think it is a limitation of Portal for Arcgis ? Is there any other way to get a token that can access federated services without requiring the user to signs in through a web page (for desktop or non-web application) ?

Thanks

Ganaël

TomaCasa · ‎06-02-2021

I'm also having similar token issue

I'm using the following in C# and the RestSharp library

it works perfectly in AGOL- and am able to Query data from the FeatureService.

but when using against our Portal it gets a token,
however it is unable to use it for hitting REST endpoints to Query - throws an error.

"{\"error\":{\"code\":498,\"message\":\"Invalid Token\",\"details\":[]}}"

RestRequest r = new RestRequest(tokenUrl);
            r.AddParameter("client_id", client_id);
            r.AddParameter("client_secret", client_secret);
            r.AddParameter("grant_type", "client_credentials");                        
                       
            r.Method = RestSharp.Method.POST;
            r.RequestFormat = DataFormat.Json;            
            RestClient c = new RestClient();
            IRestResponse rs = c.Execute(r);
            JsonDeserializer a = new JsonDeserializer();
            Dictionary<string, string> d = a.Deserialize<Dictionary<string, string>>(rs);

            accessToken = d["access_token"];

Ganael_Jatteau · ‎06-02-2021

Apparently there is a workaround that consists in storing the credentials for a specific service :

https://support.esri.com/en/Technical-Article/000017029

I didn't have a chance to test that solution though.

TomaCasa · ‎06-02-2021

thanks for the reply - I've used that before - however that is for WebApps and limiting access. works basically like a reverse proxy to block everything except a list of URLs

In this case I'm using a desktop based app to sync data to a locally stored gdb via REST - little bit different.
I've submitted a ticket to ESRI support so lets see what they say - will post result if they can solve it.