If using the Web Adaptor is it really necessary to "secure" the published services?
customer will only consume services via the REST, so in my mind it seems a bit of overkill to secure the published services on top of running the web adaptor.
Users = Domain A
ESRI = Domain B (this is by design and cannot be moved to Domain A)
what would be the cleanest way to secure services....if they even nee to be secured at all?
A couple reasons I want to secure services using ArcGIS Server secure folders (beyond web adaptor) come to mind:
I'm sure there are other reasons. If all your services are public and you aren't concerned about #1, then you may not need security. However, even if using the web adaptor and you don't openly publish your end point, a couple minutes with Fiddler or other developer tools can usually find this info. However, if you have security (Configuring ArcGIS Server security—Documentation (10.4) | ArcGIS for Server ) and a proxy, you can prevent others from using the services within their own. Again, that might not be a concern, but something to keep in mind.
You may want to check out ArcGIS Security—Trust ArcGIS | ArcGIS since it has info on security for many of the products/platforms.
Also, just as a note, make sure your patches are up to date, including the one mentioned here:
if arcgis server services are not secure, one can simply hit up the Specific Port - side stepping the web adaptor and still get access to services.
Once you web tier auth, other than admin / manager, you must go through the web adaptor. or you will get a 403
also handy through the web adaptor is the manager / publisher accounts are auto logged in... no need for Digging up KeePass credentials.