I have several web apps in portal which have secured REST endpoints in them. It will prompt the user for their windows username and password. If they are authorized to see the REST endpoints then the map opens with those layers. If they are not then it either keeps prompting them for their username and password, or shows the basemap and has an endless spinning load icon. Is there a way to redirect to url which will tell the user then are not authorized to see the map layers if their username/password will not authorize them to open the REST end points for the Portal Web App.
Solved! Go to Solution.
I've been working countless hours on the phone with ESRI to get this fixed. I'm sure by now my name is now on a wall in their support office for being an obnoxious user. I have another screen share in a few hours with a senior analyst to try and resolve. I tried to add a redirect on my portal website when a 401 error was thrown (that seems to be the error when it doesn't authenticate), but it wont' show the custom error page. I try the error page as well on my ArcGIS server server where they are unable to get to the REST endpoint, but it won't show up. So frustrating. I can't have a user just see a blank map. There needs to be something concrete telling them they can't access the services and who to call to get authorization. It looks like 10.3.1 will be out this week or next so I'm hoping they've fixed it there, but I'm not hopeful. Just thought I'd throw it out to the masses to see if someone had come up with a solution.
Ok just got off the phone with ESRI. YOu have to create a proxy. They said that is out of the scope of what they are doing. I don't agree with that, but that's my opinion. I guess have a blank map with no data and no way for the user to understand that they are not authorized is their solution. I'm going to work on setting up a proxy, but if that will not work I'm going to just put a big label at the top of the WEB App saying if you don't see data you are not authorized and give them our help desk number.
I haven't tried this with my ArcGIS Server REST endpoints, but for several other directories, it is often possible to catch the authentication upstream at the web server. I've only done this myself with Apache httpd and Nginx web servers; from your question I infer that you might be using MS IIS web server and Active Directory authentication, which I've not configured in this way.
In terms of tracking down relevant documentation, I believe that the suggestion was actually to create a Reverse Proxy. In that case, your users navigate to a URI somewhere in a directory path under, say, http://sonomacounty.ca.gov/ and all requests that the web server receives at, say /coolmap/services would be forwarded to a specific server and port like http://gis1:6080/arcgis/rest/services, and all responses from your ArcGIS Server instance would be returned to the requestor appearing to come from http://sonomacounty.ca.gov/coolmap/services
If you're using IIS and being asked to set up a reverse proxy, your web content administrator may have useful knowledge about how to set that up and then secure the /coolmap/services path using Active Directory authentication. To keep the services secured, you could even configure ArcGIS Server to only accept non-administrative connections that are forwarded from the web server acting as reverse proxy, so that only the (secured) front door is open, and people can't just paste a URL direct to your "gis1" server.
Thanks Brian, I was hoping someone who have pity on me. I've already started talking with my network team about getting this setup.
Thanks for the suggestions.