Is Public/anonymous access possible with Web Tier Authentication?

JoeTosoni · ‎12-19-2013

Hi - regarding my arcgis for server 10.2 setup, I currently have Server installed on one VM and the Web Adaptor for IIS installed/configured on another VM. I am also leveraging our existing Windows Domain (AD) for my user and role stores. Given that most of the services we host need to be exposed to the public, am I able to use web tier auth. to allow the public to access most services while securing specific services for certain users internally or with our domain? Or, must I use GIS Server Auth. to allow this type of access to work? I'm just a little confused given that I can still have Anonymous Auth. enabled in IIS when Web Tier Auth. is leveraged in the ArcGIS Server configuration. Maybe with Web Tier to work I have to enable Windows Auth. in IIS? Thanks in advance.

LeoDonahue · ‎12-19-2013

You lost me in the question, but yes, you can secure specific web services at 10.1

http://resources.arcgis.com/en/help/main/10.1/0154/0154000005pm000000.htm

http://resources.arcgis.com/en/help/main/10.1/0154/0154000005qz000000.htm

http://resources.arcgis.com/en/help/main/10.1/0154/015400000517000000.htm

In my mind, anonymous access and authentication just don't go together, that must be an IIS thing.

JustinRodriguez · ‎12-20-2013

Hello Everyone,

So to answer your question bluntly, no, but creatively, YES.

Basically you would have to have two web adaptors. The names below are just examples for this scenario, please feel free to change them to fit your needs.

Web adaptor secure

Web adaptor public

1. Set Web Tier Authentication in Server
2. Set permissions as expected for the 'Secure' web adaptor (Windows Integrated Authentication)
3. Set permissions on all of the services as required

4. Create a special 'Public User' in your active Directory
5. Create a special 'Public Folder' in ArcGIS for Server
6. Publish your 'Public' Services to the Public Folder
7. Grant the 'Public User' rights to your 'Public Folder'

8. In IIS, go to your 'Public' Web Adaptor
9. Go to Authentication and ensure that "Anonymous Authentication" is ENABLED
10. Highlight Anonymous Authentication and select 'Edit' in the actions panel
11. Change the 'Anonymous User Identity' from 'IUSR' to '<mydomain>\PublicUser'
12. Right click on the web instance of the Public Web Adaptor and select 'Edit Permissions'
13. Click Edit, and add the 'Public User' to the list. Ensure that 'Read & Execute', 'List Folder Contents', and 'Read' are at least granted.

Now you have a Public URL. If a customer goes to the public URL, they will not be prompted for credentials, as the credentials will be passed for them. Therefore, their access is limited only to those folders the 'PublicUser' has rights to.

If you have any questions, please let me know. Thanks-

Justin

DavidRoberts1 · ‎12-09-2014

Hi Justin,

I have been trying to setup a web adapter with anonymous authentication with a specific user in order to access secured map services. I've followed your instructions for doing this but the secured services don't show up, only the unsecured services in the services directory. Are there any additional steps or something else I could be missing here?

I started this configuration with ArcGIS Server 10.1 but due to a bug, you can't make the root of the services directory public so I upgraded to ArcGIS 10.2.2.

LeoDonahue · ‎12-20-2013

"Anonymous Authentication".... love that phrase.:D

We're going to verify that the credentials the user is using to connect to these freely public web services is in fact, the special Public User in our Active Directory, even though we don't know really who that is from the outside. But regardless, we've verified the credentials of those anonymous requests.

It sounds to me like we are restricting access to an authenticated user to only be able to read services in certain directories instead of restricting access to secured services to those who have authenticated to those secured services. But IIS and Tomcat certainly do things differently.

http://technet.microsoft.com/en-us/library/ff687657(v=ws.10).aspx

Authentication is the verification of the credentials of the connection attempt. This process consists of sending the credentials from the remote access client to the remote access server in an either plaintext or encrypted form by using an authentication protocol.

Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.

StevenGraf1 · ‎05-08-2015

Is this still the case at 10.2.2? I thought I read this was a bug in 10.1 and was fixed at the 10.2 release. We are installing 10.2.2 and seem to be having this issue.

We can publish with only windows authentication enabled. We need anonymous authentication enabled because the services require it but with anonymous enabled it gives the error can't connect to publishing tools.

Creating a 'public' user in AD is out of the question.

Any thoughts?

StevenGraf1 · ‎05-11-2015

I asked Esri. The solution is to install 2 web adaptors on the same server. Enable Anonymous on one and Windows Auth on the other. Publish services using the one with Windows Authentication and use the services in applications using the anonymous authentication web adaptor. It seems to be working.

Steven

PeterHanmore · ‎03-24-2020

Wondering if anyone has gotten this configuration to work on any recent version (10.6 or higher)?
I'm trying to set up a site with both anonymous and windows authenticated web adaptors but AGS denies access to the anonymous service despite IIS being set up with a specific AD account. The AGS log says that access was attempted by 'Anonymous user'.