We are using a reverse proxy with ArcGIS Server 10.4. and a WebAdaptor.
The Proxy server sets the X-Forwarded Host, and we set the WebContextURL in the system properties. With this configuration, access to our MapService over the REST interface works well.
"WebContextURL": "https://<external url to gis server>/<web adaptor name>"
But when I try to access these services with ArcMap (SOAP interface), ArcMap cannot login. In the response GetTokenServiceURLResponse of the service I can see that the TokenServiceURL property is wrong:
https://https/<web adaptor name>/tokens/
<?xml version="1.0" encoding="utf-8" ?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="http://www.esri.com/schemas/ArcGIS/10.4"><soap:Body><tns:GetTokenServiceURLResponse>
<TokenServiceURL>https://https/<web adaptor name>/tokens/</TokenServiceURL></tns:GetTokenServiceURLResponse></soap:Body></soap:Envelope>
When I check the capabilities file of the WFS interface, I can see the same error in the url:
I can fix the capabilities file with an external capabilities file if there is no other solution. But the problem with accessing protected services wont go away with that.
Without the X-Forwarded Host setting the REST interface did not work either, so I think this setting is fine like it is.
bye, Nicole
Solved! Go to Solution.
Hi Nicole,
I would double-check the "X-Forwarded-Host" header being sent by your reverse proxy. That should just be the fully-qualified domain name of your web server (ex reverseproxy.domain.com). If that header includes the protocol "https://" as well, it won't work and would produce token service urls and GetCapabilities files similar to what you are seeing.
Jeff
Hi Nicole,
I would double-check the "X-Forwarded-Host" header being sent by your reverse proxy. That should just be the fully-qualified domain name of your web server (ex reverseproxy.domain.com). If that header includes the protocol "https://" as well, it won't work and would produce token service urls and GetCapabilities files similar to what you are seeing.
Jeff
Hello Jeff
Thanks a lot, that solved my issue with the wrong Url in the GetTokenServiceURLResponse and in the WFS Capabilities file!
I can not use both MapService and WFSService in QGIS with Basic Authentication, only ArcMap / ArcCatalog are noth happy with it. When tracint the http requests I can now see that GetTokenServiceURLResponse returns the correct url to the token service:
https:///<external url to gis server>/<web adaptor name>/tokens/
But next it does a POST call to this Url and I get
{"error":{"code":401,"message":"You are not authorized to access this information","details":"Invalid credentials"}}
Is basic authentication not supported with ArcCatalog?
bye, Nicole
Hi Nicole,
Yes, both ArcMap and ArcCatalog should work fine with basic authentication. Is ArcGIS Server configured to expect basic authentication (ie web-tier authentication)? An easy check should be to access the rest/info page:
https://externalurl.domain.com/server_wa/rest/info
Under authentication information, one of the parameters is "Is Token Based Security". Is this true or false?
Hi Jeff
Thanks a lot for the hint! When checking https://externalurl.domain.com/server_wa/rest/info I have seen that token based security was enabled. As I was trying a lot of things on the ArcGIS Server experiencing the issue with basic authentication I have enabled security on the ArcGIS Server "by mistake". We dont need this as all our services are public.
I have now disabled security again by:
- Stopping ArcGIS Windows Service
- edit .\arcgisserver\config-store\security\security-config.json, set "securityEnabled": false,
- restart ArcGIS Server Windows services
problem to Disable the security in server.dat file - Geographic Information Systems Stack Exchange
I guess I could have used the REST interface to do that?
Now it works as expected. On my web adaptor in IIS I have enabled Windows authentication, so the users are challenged for user name and password, but after logging in they can use all sevices.
bye, Nicole