Use reverse proxy with secured service on 10.4

1119
4
Jump to solution
08-06-2019 01:37 AM
NicoleSulzberger
Occasional Contributor

We are using a reverse proxy with ArcGIS Server 10.4. and a WebAdaptor.

The Proxy server sets the X-Forwarded Host, and we set the WebContextURL in the system properties. With this configuration, access to our MapService over the REST interface works well. 

"WebContextURL": "https://<external url to gis server>/<web adaptor name>"

But when I try to access these services with ArcMap (SOAP interface), ArcMap cannot login. In the response GetTokenServiceURLResponse of the service I can see that the TokenServiceURL property is wrong:

https://https/<web adaptor name>/tokens/ 

<?xml version="1.0" encoding="utf-8" ?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://www.esri.com/schemas/ArcGIS/10.4"><soap:Body><tns:GetTokenServiceURLResponse>
<TokenServiceURL>https://https/<web adaptor name>/tokens/</TokenServiceURL></tns:GetTokenServiceURLResponse></soap:Body></soap:Envelope>

When I check the capabilities file of the WFS interface, I can see the same error in the url:

<ows:Operation name="GetCapabilities">
<ows:DCP>
<ows:HTTP>
<ows:Get xlink:href="https://https:/<web adaptor name>/services/public/<ServiceName>/MapServer/WFSServer?"/>
<ows:Post xlink:href="https://https:/<web adaptor name>/services/public/<ServiceName>/MapServer/WFSServer"/>
</ows:HTTP>
</ows:DCP>

I can fix the capabilities file with an external capabilities file if there is no other solution. But the problem with accessing protected services wont go away with that.

Without the X-Forwarded Host setting the REST interface did not work either, so I think this setting is fine like it is.

bye, Nicole

0 Kudos
1 Solution

Accepted Solutions
JeffSmith
Esri Contributor

Hi Nicole,

I would double-check the "X-Forwarded-Host" header being sent by your reverse proxy.  That should just be the fully-qualified domain name of your web server (ex reverseproxy.domain.com).  If that header includes the protocol "https://" as well, it won't work and would produce token service urls and GetCapabilities files similar to what you are seeing.

Jeff

View solution in original post

4 Replies
JeffSmith
Esri Contributor

Hi Nicole,

I would double-check the "X-Forwarded-Host" header being sent by your reverse proxy.  That should just be the fully-qualified domain name of your web server (ex reverseproxy.domain.com).  If that header includes the protocol "https://" as well, it won't work and would produce token service urls and GetCapabilities files similar to what you are seeing.

Jeff

NicoleSulzberger
Occasional Contributor

Hello Jeff

Thanks a lot, that solved my issue with the wrong Url in the GetTokenServiceURLResponse and in the WFS Capabilities file!

I can not use both MapService and WFSService in QGIS with Basic Authentication, only ArcMap / ArcCatalog are noth happy with it. When tracint the http requests I can now see that GetTokenServiceURLResponse returns the correct url to the token service:

https:///<external url to gis server>/<web adaptor name>/tokens/

But next it does a POST call to this Url and I get

{"error":{"code":401,"message":"You are not authorized to access this information","details":"Invalid credentials"}}

Is basic authentication not supported with ArcCatalog?

bye, Nicole

0 Kudos
JeffSmith
Esri Contributor

Hi Nicole,

Yes, both ArcMap and ArcCatalog should work fine with basic authentication.  Is ArcGIS Server configured to expect basic authentication (ie web-tier authentication)?  An easy check should be to access the rest/info page:

https://externalurl.domain.com/server_wa/rest/info

Under authentication information, one of the parameters is "Is Token Based Security".  Is this true or false? 

0 Kudos
NicoleSulzberger
Occasional Contributor

Hi Jeff

Thanks a lot for the hint! When checking https://externalurl.domain.com/server_wa/rest/info I have seen that token based security was enabled. As I was trying a lot of things on the ArcGIS Server experiencing the issue with basic authentication I have enabled security on the ArcGIS Server "by mistake". We dont need this as all our services are public.

I have now disabled security again by:

- Stopping ArcGIS Windows Service

- edit .\arcgisserver\config-store\security\security-config.json, set  "securityEnabled": false,

- restart ArcGIS Server Windows services

problem to Disable the security in server.dat file - Geographic Information Systems Stack Exchange 

I guess I could have used the REST interface to do that?

Now it works as expected. On my web adaptor in IIS I have enabled Windows authentication, so the users are challenged for user name and password, but after logging in they can use all sevices.

bye, Nicole

 

0 Kudos