Select to view content in your preferred language

Secure SSL services in Web App builder failing.

10141
17
07-25-2015 05:24 PM
MichaelRobb
Honored Contributor

Hi

What I want:

Have a Secure Service on ArcGIS Server and add it to Web app builder ultimately in a web service where that little prompt comes up. (Easy right?)

This process has no issue if NOT SSL.

1.     http://MACHINE:6080/arcgis/rest/services/TEST/TEST/MapServer

2.     Create New Web Map

3.     Web Map prompts user for credentials for the secure service

4.     Save Web Map

5.     Create Web App   .. the prompt again appears when loading

Now... I want SSL so...

on IIS, I create a Redirect for all HTTP traffic to go HTTPS (443).

1.  Server admin >> changed to HTTPS only

2.  Change Portal to SSL

3.  Create new Web Map

4     Web Map prompts user for credentials for the secure service  - SO far this looks promising

5.   Save Web Map

6.  Create Web APP -  and..... no layers...

same thing happens both with ONLINE and Portal.

How does one properly have Secure Map Services from ArcGIS Server show up in a web application HTTPS only??

I have tried going through the web adaptor...

I have tried HTTP and HTTPS blend

I have tried all kinds of things... I can only seem to get this to work with HTTP.

Has no problem using ?jsapi from ArcGIS Server to push the prompt..

Why does Web APP BUILDER NOT SHOW THIS when using HTTPS?

IT works as expected with HTTP...

This.png

0 Kudos
17 Replies
MichaelRobb
Honored Contributor

not a cert issue.. still have issue regardless of being EV trusted now

0 Kudos
JonathanQuinn
Esri Notable Contributor

By default, ArcGIS Server has a self signed certificate on port 6443.  I secured the SampleWorldCities service using GIS Tier authentication and built-in users and roles, and added it to a webmap.  I created a web app from the webmap using the web app builder, shared it with everyone, and when I opened the web app, I was prompted to sign in.  I believe what Qun is saying is valid, as my self signed certificate for my Server had already been trusted by my browser.  I opened the web app up in IE on a separate machine that didn't trust my certificate and it first asked for me to trust the cert, and once I did, I could refresh the browser and it prompted me to sign in.  Typically, we don't see people exposing 6443 or 6080 to the public, see the diagram at this link.  Instead, you have that port sitting behind your DMZ with the web adaptor or another reverse proxy in the DMZ.

0 Kudos
MichaelRobb
Honored Contributor

Yes, I only exposed 6443 to try to determine why I could not get this to work by simplifying things and  Bypassing the Web adaptor. Reason is IIS has a Redirect in place to redirect to HTTPS (URL Rewrite installed).  I was and still not sure if having a redirect was causing issues on the gis.arrayis/ca/arcgis/home or the server gis.arrayis.ca/arcgis/rest/services....

by GIS Tier I am guessing you mean GIS_SERVER ?

0 Kudos
MichaelRobb
Honored Contributor

Now have EV SSL from Comodo.

Create web map via Portal - Prompt for Secure web service from ArcGIS Server - prompt shows up

Create Web APP via Portal - FAILS - no prompt from the above web map (F12 only shows 'invalid Token' - um okay, where is my prompt?  No prompt... as stated original post

Same process via ONLINE - web map - WORKS - I get the secure service prompt

Web APP - IT WORKS! I get the prompt!

Is there something wrong with my Portal?

0 Kudos
JonathanQuinn
Esri Notable Contributor

Is your Portal and Server federated?  Are they on separate machines, or are they accessed via the same host?  If they're unfederated, it may be that it's using a Portal token and appending it to the service URL, which is why you may see a token appended to the service URL and the "invalid token" error.  There have been a few bugs logged for that behavior.  The workarounds for that behavior are to federate Portal and Server or make sure that they're accessed via separate FQDN's.

0 Kudos
MichaelRobb
Honored Contributor

Oh my.

No Not Federated.

Portal and ArcGIS Server are on same server machine...

0 Kudos
NickAlexandrou1
Deactivated User

I'm running into the same issue. Create the web map, our Windows Domain login credentials request pops up and everything works fine.

Try and consume the web map into a web application, no prompt, no data.

I'm getting with our IT department now who set up our DMZ and Web Adaptor so we can look at the certificate that is being used as I suspect that is the root of my problems.

Once you got yours fixed, when an end user opened the web application, it would prompt them to put in their Enterprise login to continue? Man that's sweet... I'm hoping to get to this point soon.

Were there any other obstacles that came about?

0 Kudos
MichaelRobb
Honored Contributor

I've come a long way since.

Certs are handled by the following:  IIS Requires a valid cert.   ArcGIS Server also  ROOT/Intermediate and a signed cert. (to be proper but not mandatory)  there is a whole process to create the CSR, then upload the signed cert from that CSR     under admin>> machine>> [machine name] >>  SSLCertificates    create a cert or use self signed.  Generate CSR ... Import SignedCert once your organization has given back .cer    Import Intermediate / Root/   then   EDIT machine to use new Web Server SSL Cert  under server machine properties.

you can also replace the two self generated certs for WABde with signed certs. (another strange process).

As far as what had happened for this posting, id have to go back to my notes.. was some time ago.

I am a fan of non-federated Portal (to avoid that user name costs)  use Web authentication on the adaptor, enable Web Tier authentication... makes for a seamless user experience.