I started a new project and for now I only have a test environment on my local computer with Arcgis Server 10.
I have some secure services and some users are allowed to view them and some not. The security is set to be windows integrated authentication. The challange is that all users must use the same homepage. This page will load all services and the goal is that only the services the users is allowed to will be visible for that user.
I thought I could handle this by only catching error 401.2 from the IIS when a user is denied but it seems like it doesn´t work although I through a debugging tool can see the error being fired.
Something like this try { Mylayer = new esri.layers.ArcGISDynamicMapServiceLayer("http://Myserver/ArcGIS/rest/services/test/Mylayer/MapServer"); map.addLayer(Mylayer ); } catch(err) { //Mark up that the service is not loaded and just smoothly go on }
My second problem is that the layer is loaded even if I as a user shouldn´t have access to it. My username is not in the group that has access to it and the 401 error is correctly fired.
So first I need opinions on this being a good idea in the first place to trying to load all services even if a user is only authenticated to some? Is this an ok approach?
And secondly if anyone having an idea on whats going on with my user accessing the secured layer even if 401 is fired? (Has it to do with me doing this on my local computer?)
I started a new project and for now I only have a test environment on my local computer with Arcgis Server 10.
I have some secure services and some users are allowed to view them and some not. The security is set to be windows integrated authentication. The challange is that all users must use the same homepage. This page will load all services and the goal is that only the services the users is allowed to will be visible for that user.
I thought I could handle this by only catching error 401.2 from the IIS when a user is denied but it seems like it doesn´t work although I through a debugging tool can see the error being fired.
Something like this try { Mylayer = new esri.layers.ArcGISDynamicMapServiceLayer("http://Myserver/ArcGIS/rest/services/test/Mylayer/MapServer"); map.addLayer(Mylayer ); } catch(err) { //Mark up that the service is not loaded and just smoothly go on }
My second problem is that the layer is loaded even if I as a user shouldn´t have access to it. My username is not in the group that has access to it and the 401 error is correctly fired.
So first I need opinions on this being a good idea in the first place to trying to load all services even if a user is only authenticated to some? Is this an ok approach?
And secondly if anyone having an idea on whats going on with my user accessing the secured layer even if 401 is fired? (Has it to do with me doing this on my local computer?)
Hope someone here can help
"from the same homepage" - are you creating a custom login page to view /rest/services ?
In manager, under security/settings, do you have security enabled? On the same page, under security stores, have you configured the server to use windows auth? In manager, for each service, have you selected the padlock icon and configured windows groups for each service? In IIS manager, arcgis/rest, arcgis/security do you have an auth. method selected "basic auth" "digest", ect...?
I went through quite the hassle getting service auth. properly setup on our server a month ago. When using windows auth, I would get presented with a login window when visting http://isnt/arcgis/services/rest, but I could not login with valid username/pw. I almost pulled my hair out.
The problem was that the GIS server was also a domain controller, and when specifying windows groups for the service security (padlock icon) I was adding groups from the 'local comptuer', not from the 'domain'. After the group was added from the domain, all was well!!
If I were you, I'd save myself a lot of headache and setup SQL database auth. Best part is that users/roles can be added/deleted from manager, so you dont' have to remote into the GIS server and mess with windows users/groups; which in my case was complicated given my lack of knowledge of winblows, and Active Directory.
We will use Single sign on so the user doesn´t have to log in. But they will all use the same webpage for viewing the services.
I have security enabled and the server is configured för windows authentication. And I have set it for each service which group can access it. In IIS arcgis/rest, arcgis/security I have chose windows authentication.
It really sounds like a hard time you had with windows auth. Unfortunately I am no allowed to use SQL server and must stick to windows group. I will absolutely check how the users are added and not get the sam problems as you did.
Do you have "mixed" security in your webpage - that you call also services you know that some users will be denied to as well as allowed services?
"from the same homepage" - are you creating a custom login page to view /rest/services ?
In manager, under security/settings, do you have security enabled? On the same page, under security stores, have you configured the server to use windows auth? In manager, for each service, have you selected the padlock icon and configured windows groups for each service? In IIS manager, arcgis/rest, arcgis/security do you have an auth. method selected "basic auth" "digest", ect...?
I went through quite the hassle getting service auth. properly setup on our server a month ago. When using windows auth, I would get presented with a login window when visting http://isnt/arcgis/services/rest, but I could not login with valid username/pw. I almost pulled my hair out.
The problem was that the GIS server was also a domain controller, and when specifying windows groups for the service security (padlock icon) I was adding groups from the 'local comptuer', not from the 'domain'. After the group was added from the domain, all was well!!
If I were you, I'd save myself a lot of headache and setup SQL database auth. Best part is that users/roles can be added/deleted from manager, so you dont' have to remote into the GIS server and mess with windows users/groups; which in my case was complicated given my lack of knowledge of winblows, and Active Directory.
