I assume that you are developing an application based on one of the web APIs such as JavaScript, Flex, or Silverlight. In this case you have to handle security. There are 2 choices here:
1) Client software gets a token from the server and passes that token to the various client APIs when accessing services. In this case the "login page" is in the client software.
2) Design a web application, e.g. ASP.NET, which is essentially a proxy. The proxy authenticates users and has a login page. When a request comes from an authenticated client, it appends the token to the request and then forwards it.
I'm using ArcGIS Server 10.2.2. I'm seeing the same thing as Carolyn and Jay. Using .../MapServer?token=mytoken takes me to the login page. I then need to login to see the Service.
Why are there two places to generate a token?:
https://MyDomain/arcgis/admin/generatetoken
https://MyDomain/arcgis/tokens/
I can only get the 'admin' one to work for us when using it through the Internet. Both seem to work locally. Any thoughts, ESRI. How do we 'test'.
You should be able to generate the token from the Get Token URL on the http://mydomain/arcgis/rest/services/ page. Upper right corner next to Login.
I normally use Request IP for the Client parameter. If you have the credentials correct, you should see a long alpha-numeric string of characters, the token.
In your browser, after appending that to your service endpoint url using ?token=, where it used to say Login, you should now see "Logged in " along with the domain\username of the credentials you used to get the token.
If you have any secured services, and the account you used for the token has access to those secured services, you should now be able to see them listed in the folders.
If not, you might have some things left to configure.
Using https can be especially troublesome if you don't have the certificate/domain name configured correctly, or if you are entering them in an manner that is not consistent with your certificate.
Okay, now it's working if I choose 'Request IP' (I was selecting 'HTTP referer' before). Not sure why it doesn't work for 'HTTP referer'. Thanks for the hint, that gets me a little farther.