401 - Unauthorized: Access is denied due to invalid credentials

9819
7
12-05-2016 10:44 PM
simoxu
by MVP Regular Contributor
MVP Regular Contributor

Hello friends,

I am using Query widget, one of the queries does not work and prompt credential issues when the service used in the query has joined tables. If there are no joins in the service, the query works fine.

I published the service on our ArcGIS server which is federated with the ArcGIS portal. and I shared the service to everyone in my organization.

Please see the attachment for the problem, seemingly a proxy issue, but it actually has something to do with the join as well.

Any ideas for what is happening?

Thanks.

Tags (1)
0 Kudos
7 Replies
simoxu
by MVP Regular Contributor
MVP Regular Contributor

Update:

When I Enabled the Anonymous Authentication for the Web adapter, it started working!

So, what was the cause? the proxy app (dot Net version) can't pass on the windows authentication??

Any ideas are welcome.

0 Kudos
DerekLaw
Esri Esteemed Contributor

Hi Simo,

There are many possible causes for the security error you're encountering. Some things you may want to look into:

  • Have you tried to run Fiddler (or something similar) to log the network traffic when you encounter the 401 error when trying to query the feature service with joined table? Do you see any error messages?
  • What type of security has been configured on your Portal for ArcGIS? Built-in? IWA? SAML?
  • Have you enabled anonymous access to your Portal?
  • Does your web app require a login to access? If so, does that user have the appropriate permissions to the data being queried?
  • In your 2nd post, when you say you enabled Anonymous Authentication for a web adaptor, which one? For the GIS Server? For Portal?
  • Try accessing the feature service with the joined data in the Portal map viewer, can you see the data contents?

Hope this helps,

simoxu
by MVP Regular Contributor
MVP Regular Contributor

Hi Darek,

to answer your questions:

  • Have you tried to run Fiddler (or something similar) to log the network traffic when you encounter the 401 error when trying to query the feature service with joined table? Do you see any error messages?

Yes, I'v used Fiddler and Chrome Developer tools to monitor the traffic, same result: 401 error, invalid credentials. but this only happens when I have joined tables in the service, and only in this circumstance, Web Appbuilder will use proxy:

https://localhost:3344/proxy.js? url_for_query

  • What type of security has been configured on your Portal for ArcGIS? Built-in? IWA? SAML?

It's IWA

  • Have you enabled anonymous access to your Portal?

Yes. the boxes are ticked for "Allow anonymous access to your portal" and "Allow access to the portal through HTTPS only"

  • Does your web app require a login to access? If so, does that user have the appropriate permissions to the data being queried?

No, the application does not require a login, and the services are not secured.

  • In your 2nd post, when you say you enabled Anonymous Authentication for a web adaptor, which one? For the GIS Server? For Portal?

The web adaptor for the GIS server.

  • Try accessing the feature service with the joined data in the Portal map viewer, can you see the data contents?

 I can access the service from Portal map viewer. and if I copy the URL after the proxy.js and past it in the address bar of a browser, let's say Chrome or IE, the query works.

So, I still strongly suspect the Web Appbuilder proxy.js can't handle the IWA and properly pass on the right credential to the GIS server while IE or Chrome can.

Please be aware that the GIS server is federated with Portal, this may affect its authentication mechanism.

Thank you for your attention to this question, look forward to more advice from you.

Cheers,

Simo

0 Kudos
DerekLaw
Esri Esteemed Contributor

Hi Simo,

What release of Portal for ArcGIS are you using? We've had a couple of issues reported related to using Web AppBuilder for ArcGIS with Portal 10.3 and IWA authentication.

Can you please contact Esri Tech Support so they can help you investigate the issue in more detail.

Hope this helps,

0 Kudos
simoxu
by MVP Regular Contributor
MVP Regular Contributor

OK, thanks.

We are using  Portal 10.4.

0 Kudos
DonWaldo
New Contributor II

@ Derek Law We are running into an issue with Portal 10.5 and Windows Auth. The token endpoint options are secured, so you get an access denied error when hitting these from code or from the proxy. If I login with my Windows credentials, I can get to the endpoint. The proxy doesn't seem to use credentials when trying to get to the endpoint. 

https://server.domain.com/aswa/sharing/generateToken  <-- This is protected by windows Auth per documentation for setting up IWA Securing web services with Integrated Windows Authentication—ArcGIS Web Adaptor (IIS) Installation G... 

I've tried several things. In the proxy I've tried both App-Login, as well as User-Login.

Below are two snippets from the proxy, take these with a grain of salt, I've tried several variations and the latest code from github. It all seems to boil down to IWA blocking access to the get tokens.

<serverUrl               url="https://server.domain.com/aswa/rest/services/"               clientId="abc123"               clientSecret="99999999"               matchAll="true"/>

<serverUrl          url="https://server.domain.com/aswa/rest/services/"          tokenServiceUri="https://server.domain.com/aswa/tokens/"          username="uname"          password="password"          matchAll="true"          />

This seems like a common configuration scenario. Do we have something mis-configured, or is there a known issue? 

0 Kudos
LeoLadefian3
New Contributor III

having this issue as well, my portal is secure so enabling anonymous authentication is not an option.  401 error on basemap ago_downloaded.png

0 Kudos