Portal submitting feature edits as Portal service account not as signed in user

2869
3
10-26-2015 08:30 AM
AndyE
by
New Contributor II

Hi,

I'm trying to resolve an issue I'm having with Portal where edits to feature services are submitted as the Portal service account instead of the user signed into Portal.

Both Portal and ArcGIS server are configured to user web tier authentication to allow users to sign in seamlessly. I have set up a feature class in SQL server and enabled editor tracking. This feature class has been published as a single layer in a feature service on ArcGIS Server.

I can edit in ArcGIS Desktop and the REST end point (applyEdits) which correctly captures the name of the user signed into ArcGIS Server.

When I add the feature service as a layer to Portal (using the feature layer URL, no log in details requested), and edit in a Portal map, any new features or edits have the name of the service account running the Portal service added to the editor tracking fields not the name of the user.

I've been through the ArcGIS Server logs, and I can see that as the map draws all the requests have the correct user name. I queried layers and ran a Geoprocessing Service and can see that all calls from Portal to ArcGIS server have the correct user name.

When I create a new feature in my layer using the edit tools, all requests start coming from the windows service account instead of my user name. After the feature has been created subsequent calls to the feature layer (pop-up, query) again start coming from the Portal user.

If I use my custom app to programatically create a new feature, all requests are coming from my Portal user until I call "applyEdits" on my feature layer, when again requests start coming from the service account.

Is there anyway to force applyEdits to use the windows/Portal user instead of the service account to apply edits?

Thanks,
Andy

0 Kudos
3 Replies
AlexandreGAILING
Esri Contributor

- the typical workflow to do this is to use a federated server.

- using a portal (or agol ) with secured service on non federated server should work when you don't store credentials when referecing your FeatureService in Portal ( the drawback is that it asks you for your credentials whent using your app). But i don't know the behavior  of this option when using Web tier authentication with SSO.

hope this helps

Alex

0 Kudos
AndyE
by
New Contributor II

Thanks for the response Alex.

If I've read your second point correctly what we are trying to do should work?

  • We have added the secured content without storing credentials (we are never prompted for them when adding the content or using it).
  • When using a web map or an app with the secured content, I can see in the ArcGIS server logs that it is the user who is authenticated when first loading the secure content.
  • When querying the secured content the query calls are all coming from the user.
  • When running a geoprocessing service, all the calls are coming from the user.
  • When calling the applyEdits method the log shows all the calls coming from the service account and not the user.

Is this an issue I can resolve with Portal configuration (outside of federating the server, which I believe could cause issues with legacy applications), or is it a more fundamental Portal issue?

0 Kudos
ThomasColson
MVP Frequent Contributor

I believe this is the default behavior of Portal with federated GIS Servers behind web-tier. The user is in fact, authenticating via IWA, but the edit user stamp is coming from when PTL passed that edit from the Portal Web Interface, or feature service local edit check in/out, to SQL.

0 Kudos