ArcGIS Portal - Redirect if user is not authorized to see REST Endpoint in webapp

3922
5
Jump to solution
05-07-2015 08:27 AM
MichelleMestrovich1
New Contributor III

I have several web apps in portal which have secured REST endpoints in them.  It will prompt the user for their windows username and password. If they are authorized to see the REST endpoints then the map opens with those layers.  If they are not then it either keeps prompting them for their username and password, or shows the basemap and  has an endless spinning load icon. Is there a way to redirect to url which will tell the user then are not authorized to see the map layers if their username/password will not authorize them to open the REST end points for the Portal Web App.


Thanks

Michelle

0 Kudos
1 Solution

Accepted Solutions
RobertScheitlin__GISP
MVP Esteemed Contributor

Michelle,

   Have you called esri Tech Support and check if it is logged as a bug?

View solution in original post

5 Replies
RobertScheitlin__GISP
MVP Esteemed Contributor

Michelle,

   Have you called esri Tech Support and check if it is logged as a bug?

MichelleMestrovich1
New Contributor III

I've been working countless hours on the phone with ESRI to get this fixed. I'm sure by  now my name is now on a wall in their support office for being an obnoxious user.  I have another screen share in a few hours with a senior analyst to try and resolve. I tried to add a redirect on my portal website when a 401 error was thrown (that seems to be the error when it doesn't authenticate), but it wont' show the custom error page.  I try the error page as well on my ArcGIS server server where they are unable to get to the REST endpoint, but it won't show up.  So frustrating. I can't have a user just see a blank map.  There needs to be something concrete telling them they can't access the services and who to call to get authorization. It looks like 10.3.1 will be out this week or next so I'm hoping they've fixed it there, but I'm not hopeful. Just thought I'd throw it out to the masses to see if someone had come up with a solution.

Thanks

Mich

0 Kudos
MichelleMestrovich1
New Contributor III

Ok just got off the phone with ESRI. YOu have to create a proxy. They said that is out of the scope of what they are doing. I don't agree with that, but that's my opinion. I guess have a blank map with no data and no way for the user to understand that they are not authorized is their solution. I'm going to work on setting up a proxy, but if that will not work I'm going to just put a big label at the top of the WEB App saying if you don't see data you are not authorized and give them our help desk number.

BrianQuinn
New Contributor III

Hi Michelle,

I haven't tried this with my ArcGIS Server REST endpoints, but for several other directories, it is often possible to catch the authentication upstream at the web server.  I've only done this myself with Apache httpd and Nginx web servers; from your question I infer that you might be using MS IIS web server and Active Directory authentication, which I've not configured in this way.

In terms of tracking down relevant documentation, I believe that the suggestion was actually to create a Reverse Proxy.  In that case, your users navigate to a URI somewhere in a directory path under, say, http://sonomacounty.ca.gov/  and all requests that the web server receives at, say  /coolmap/services would be forwarded to a specific server and port like http://gis1:6080/arcgis/rest/services, and all responses from your ArcGIS Server instance would be returned to the requestor appearing to come from http://sonomacounty.ca.gov/coolmap/services 

If you're using IIS and being asked to set up a reverse proxy, your web content administrator may have useful knowledge about how to set that up and then secure the /coolmap/services path using Active Directory authentication.  To keep the services secured, you could even configure ArcGIS Server to only accept non-administrative connections that are forwarded from the web server acting as reverse proxy, so that only the (secured) front door is open, and people can't just paste a URL direct to your "gis1" server.

-=Brian Quinn

MichelleMestrovich1
New Contributor III

Thanks Brian, I was hoping someone who have pity  on me. I've already started talking with my network team about getting this setup.

Thanks for the suggestions.

Michelle :)

0 Kudos