ArcGIS Portal - Redirect if user is not authorized to see REST Endpoint in webapp

I've been working countless hours on the phone with ESRI to get this fixed. I'm sure by  now my name is now on a wall in their support office for being an obnoxious user.  I have another screen share in a few hours with a senior analyst to try and resolve. I tried to add a redirect on my portal website when a 401 error was thrown (that seems to be the error when it doesn't authenticate), but it wont' show the custom error page.  I try the error page as well on my ArcGIS server server where they are unable to get to the REST endpoint, but it won't show up.  So frustrating. I can't have a user just see a blank map.  There needs to be something concrete telling them they can't access the services and who to call to get authorization. It looks like 10.3.1 will be out this week or next so I'm hoping they've fixed it there, but I'm not hopeful. Just thought I'd throw it out to the masses to see if someone had come up with a solution.

Thanks

Mich

Ok just got off the phone with ESRI. YOu have to create a proxy. They said that is out of the scope of what they are doing. I don't agree with that, but that's my opinion. I guess have a blank map with no data and no way for the user to understand that they are not authorized is their solution. I'm going to work on setting up a proxy, but if that will not work I'm going to just put a big label at the top of the WEB App saying if you don't see data you are not authorized and give them our help desk number.

Hi Michelle,

I haven't tried this with my ArcGIS Server REST endpoints, but for several other directories, it is often possible to catch the authentication upstream at the web server.  I've only done this myself with Apache httpd and Nginx web servers; from your question I infer that you might be using MS IIS web server and Active Directory authentication, which I've not configured in this way.

In terms of tracking down relevant documentation, I believe that the suggestion was actually to create a Reverse Proxy.  In that case, your users navigate to a URI somewhere in a directory path under, say, http://sonomacounty.ca.gov/  and all requests that the web server receives at, say  /coolmap/services would be forwarded to a specific server and port like http://gis1:6080/arcgis/rest/services, and all responses from your ArcGIS Server instance would be returned to the requestor appearing to come from http://sonomacounty.ca.gov/coolmap/services 

If you're using IIS and being asked to set up a reverse proxy, your web content administrator may have useful knowledge about how to set that up and then secure the /coolmap/services path using Active Directory authentication.  To keep the services secured, you could even configure ArcGIS Server to only accept non-administrative connections that are forwarded from the web server acting as reverse proxy, so that only the (secured) front door is open, and people can't just paste a URL direct to your "gis1" server.

-=Brian Quinn

Thanks Brian, I was hoping someone who have pity  on me. I've already started talking with my network team about getting this setup.

Thanks for the suggestions.

Michelle 🙂