No secure service credentials prompt because of IWA

5776
6
Jump to solution
05-19-2015 09:40 AM
by Anonymous User
Not applicable

I recently installed Portal 10.3 and it is now configured with Integrated Windows Authentication. I also have our ArcGIS Server (10.3) configured with IWA, and it is not federated with Portal.

I was testing registering a service from our ArcGIS Server with Portal. Because everything uses IWA and I am signed-on with my domain account on my desktop I was not prompted for credentials for the service that I registered. However I want to make sure that the credentials are stored with the service for when it is used on mobile devices.

Is there a way around this besides registering services on a computer outside our domain (not feasible...)? Or does Portal automatically store credentials when a service uses IWA? Thanks!

Tags (1)
1 Solution

Accepted Solutions
JeffSmith
Esri Contributor

Sarah,

No, there is not a way in Portal to save credentials for a service that is secured with IWA which is why the option to input credentials and save them is not there.  When accessing the IWA secured service using a browser inside your domain, the credentials are automatically passed through the browser.  When using a mobile device or accessing them outside the domain, you would more than likely be prompted for credentials.

If you want to save credentials, you will need to use token-based security. More information on token-based security can be found here.

View solution in original post

6 Replies
JeffSmith
Esri Contributor

Sarah,

No, there is not a way in Portal to save credentials for a service that is secured with IWA which is why the option to input credentials and save them is not there.  When accessing the IWA secured service using a browser inside your domain, the credentials are automatically passed through the browser.  When using a mobile device or accessing them outside the domain, you would more than likely be prompted for credentials.

If you want to save credentials, you will need to use token-based security. More information on token-based security can be found here.

by Anonymous User
Not applicable

Maybe this information could be added to the Admin docs? When I was going through this online it didn't mention the IWA caveat:

Add items—Portal for ArcGIS (10.3 and 10.3.1) | ArcGIS for Server

JillHalchin
Occasional Contributor II

This another case of what I call "Esri fine print":  If you dig around in the documentation long enough, get lost following link after link, you'll eventually find out that what one help page says is possible, isn't in your case. 

Last year, I changed from Web to GIS Tier authentication when I found out that Portal wouldn't work with our services.  There was no warning about IWS vs. token.

So now I have to decide if it's worth changing security again.  I'll have to spend time researching it to see what other consequences might arise. Also, it means that my users will have to remember yet another name and password for some situations.

DuarteCarreira
Occasional Contributor II

This is an old post but someone may find this useful - wms is not available for token protected mapservices. It's in the fine print too. Some help page states it's the standard's fault even though the standard does not really support any kind of authentication. That's really out of scope of the wms standard. Go figure...

0 Kudos
DuarteCarreira
Occasional Contributor II

Just for reference:

Can't do it: Error: 499 Error occurred while processing request 

Can do it: WMS services—Documentation | ArcGIS Enterprise 

Anyway, using tokens you will have to get new tokens and give them to the users to include in the url, or use really long lived tokens, or use an authentication proxy like the one from esri (GitHub - Esri/resource-proxy: Proxy files for DotNet, Java and PHP. ).

0 Kudos
JoeHershman
MVP Regular Contributor

I am seeing something similar although not exactly the same but wondering if related.  We are trying to add a Tiled Service from AGOL to our Portal.  When we add the service it does ask for AGOL credentials, but does not give the ability to Save credentials.  Is this because of we are using IWA on the portal?  That does not make sense to me that you could not use IWA and access a AGOL service and save credentials

0 Kudos