Publish Secure WMS to ArcGIS Enterprise

3491
6
Jump to solution
02-24-2021 04:51 AM
EinarD
by
New Contributor II

Hi,

I want to enable WMS for a secure services published to a federated ArcGIS Server (10.7.1). We're using IWA for our Enterprise.

The WMS works fine if parent map service and the WMS layer is shared with "everyone", but when sharing only to my organization or a portal group, then I'm unable to view the WMS.

I also get the error https://pro.arcgis.com/en/pro-app/latest/help/sharing/analyzer-error-messages/00297-layers-must-be-s... which states that it must be shared with everyone. Is this the case, must WMS services be shared with everyone?

1 Solution

Accepted Solutions
lvargas
Occasional Contributor

Hello @EinarD 

This is expected behavior, OGC services do not support OAuth2 (used por ArcGIS Enterprise authentication), so they must be shared public.

https://support.esri.com/en/bugs/nimbus/QlVHLTAwMDA5NTkzOQ==

There are also some other limitations related to OGC services.
https://gis.fema.gov/arcgis/help/en/portal/latest/use/ogc.htm#

The alternatives are:
- If its a federated environment, publish the layers as public (you could disable the service directory of ArcGIS Server).
- Use an ArcGIS GIS Server stand-alone (without federation) and web-tier authentication, publish, and secure the service.

Regards.

View solution in original post

6 Replies
George_Thompson
Esri Frequent Contributor
0 Kudos
EinarD
by
New Contributor II

Thanks George, and yes, I've read this, but based on that I would expect my setup to work, since I'm using IWA and have same security settings for the parent map service as the WMS. I do wonder if it is different for Stand Alone servers as opposed to Federated ones.

I do see this in the devtools in the browser, strange since Portal and my federated server should trust each other:

Access to XMLHttpRequest at 'https://federatedserver.domain.com/arcgis/services/test/MyMapService/MapServer/WMSServer?SERVICE=WMS...' from origin 'https://Portal.domain.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

0 Kudos
lvargas
Occasional Contributor

Hello @EinarD 

This is expected behavior, OGC services do not support OAuth2 (used por ArcGIS Enterprise authentication), so they must be shared public.

https://support.esri.com/en/bugs/nimbus/QlVHLTAwMDA5NTkzOQ==

There are also some other limitations related to OGC services.
https://gis.fema.gov/arcgis/help/en/portal/latest/use/ogc.htm#

The alternatives are:
- If its a federated environment, publish the layers as public (you could disable the service directory of ArcGIS Server).
- Use an ArcGIS GIS Server stand-alone (without federation) and web-tier authentication, publish, and secure the service.

Regards.

MarkMenzel1
New Contributor III

I understand the limitation but it means that we either have extra servers just for WMS or we share our development services to the public, or other groups that shouldn't see it.

Surely esri can work out a way that the incoming request authenticates against the map service before being redirected to the WMS. WMS does after all have the ability to take in custom parameters.

0 Kudos
GerryJamesMatidor
New Contributor

Has anyone found a solution for this issue other than make all OGC services public?  I am trying to secure a number of WMS/WFS services that are hosted in an ArcGIS Enterprise environment with 1 federated server.  Do we have any alternative to serve up these services so that they can accept a token or some form of OAuth mechanism?  I understand that the OGC services don't recognize this type of authentication but I thought ESRI would have come up with a solution at some point.

LindseyDanforth_Boulder
New Contributor II

Securing WMS services

The security for an ArcGIS Server WMS service is managed by controlling the security of its parent map or image service. If a particular role, for example, Planners, is denied access to a map, Planners will not be able to access the map no matter whether they try to consume it through SOAP, representational state transfer (REST), or OGC (for example, WMS) interfaces. ArcGIS Server supports a number of authentication schemes including HTTP-based authentication (Basic and Digest), Integrated Windows Authentication, and ArcGIS Server managed token-based authentication.

Integrated Windows Authentication

Services that are expected to be accessed through WMS interfaces should be secured using HTTP Basic, HTTP Digest, or Integrated Windows Authentication. Most WMS clients (both Esri and non-Esri clients) will understand and work with these widespread standard authentication schemes.

ArcGIS Server managed token-based authentication

Although not recommended, a WMS service can still be secured using ArcGIS Server managed token-based authentication by using this type of authentication on its parent map or image service. To make raw requests to WMS services protected by a token, you can get a valid token from the token service and append the token string as an extra parameter to the requests you send out. In other words, requests to a token-secured WMS service must use the following format:

https://<WMS_service_url>?<standard WMS parameters>&token=<valid_tokenString>

Most third-party desktop WMS clients will not be able to connect to WMS services secured in this way, but this technique can be used with WMS clients built with ArcGIS API for JavaScript.

WMS services—ArcGIS Server | Documentation for ArcGIS Enterprise

0 Kudos