We have integrated Active Directory as web tier authentication with Portal, this has given us single sign on with portal. Great! We also have services being accessed through REST. From the articles we have read, we understood that the requirement for authentication would flow through to server, however we can access service > execute task anonymously. Is this a bug or have we missed something?
Load Balancer = https://gis.xxx.xxx
- Machine 1: Web Adaptor/ Portal (gisportal - IIS authentication set to Windows Auth only, Anon Access disabled)
- Machine 2: Web Adaptor/ Portal (gisportal - IIS authentication set to Windows Auth only, Anon Access disabled)
- Machine 3: ArcGIS Server (gissite)
- Machine 4: ArcGIS Server (gissite)
https://gis.xxx.xxx/gisportal/home - Pop up for Windows Authentication works and authenticates correctly. Users can access content shared to them.
https://gis.xxx.xxx/gissite/rest/services - This home, first, level can be accessed without authentication. Clicking on a folder to move to the next level down prompts an authentication pop up.
https://gis.xxx.xxx/gissite/rest/services/folder/name/server/layer - This last level can be accessed without authentication and the function returns a result, without authentication.
Any help is welcome, hopefully we haven't grossly misunderstood the docs.
Hi Gill Paterson,
It sounds like you have everything set up correctly. Is that behavior seen with every service endpoint that you try to go to? Or is it only for a select few? Either way, I wanted to ask if those services are shared with Everyone. If so, they will not prompt for authentication. If a service's sharing properties are set to the Portal or individual groups, then the service should not be able to be accessed anonymously and will require a user to sign in.
Perhaps in your example above, the folder you clicked on contains some services that are shared with the Portal only and some public. If this is the case, or if the entire folder is secured, then a prompt for authentication would be expected.
Please see if you can double check this.
Thanks Daniel! I wasn't expecting that behaviour. I guess I had assumed that once we enabled windows authentication, that the services shared with 'everyone' became the equivalent of those shared with the organisation, that all services required a user to provide login details no matter what the sharing properties were (with services assigned to groups restricted to select users) and that there was no anonymous access at all. Assigning the service we were testing to a group enforced the login procedure to reach the endpoint. Thanks for the reply.