Secure SSL services in Web App builder failing.

By default, ArcGIS Server has a self signed certificate on port 6443.  I secured the SampleWorldCities service using GIS Tier authentication and built-in users and roles, and added it to a webmap.  I created a web app from the webmap using the web app builder, shared it with everyone, and when I opened the web app, I was prompted to sign in.  I believe what Qun is saying is valid, as my self signed certificate for my Server had already been trusted by my browser.  I opened the web app up in IE on a separate machine that didn't trust my certificate and it first asked for me to trust the cert, and once I did, I could refresh the browser and it prompted me to sign in.  Typically, we don't see people exposing 6443 or 6080 to the public, see the diagram at this link.  Instead, you have that port sitting behind your DMZ with the web adaptor or another reverse proxy in the DMZ.

Yes, I only exposed 6443 to try to determine why I could not get this to work by simplifying things and  Bypassing the Web adaptor. Reason is IIS has a Redirect in place to redirect to HTTPS (URL Rewrite installed).  I was and still not sure if having a redirect was causing issues on the gis.arrayis/ca/arcgis/home or the server gis.arrayis.ca/arcgis/rest/services....

by GIS Tier I am guessing you mean GIS_SERVER ?

Now have EV SSL from Comodo.

Create web map via Portal - Prompt for Secure web service from ArcGIS Server - prompt shows up

Create Web APP via Portal - FAILS - no prompt from the above web map (F12 only shows 'invalid Token' - um okay, where is my prompt?  No prompt... as stated original post

Same process via ONLINE - web map - WORKS - I get the secure service prompt

Web APP - IT WORKS! I get the prompt!

Is there something wrong with my Portal?

Is your Portal and Server federated?  Are they on separate machines, or are they accessed via the same host?  If they're unfederated, it may be that it's using a Portal token and appending it to the service URL, which is why you may see a token appended to the service URL and the "invalid token" error.  There have been a few bugs logged for that behavior.  The workarounds for that behavior are to federate Portal and Server or make sure that they're accessed via separate FQDN's.

Oh my.

No Not Federated.

Portal and ArcGIS Server are on same server machine...

I've come a long way since.

Certs are handled by the following:  IIS Requires a valid cert.   ArcGIS Server also  ROOT/Intermediate and a signed cert. (to be proper but not mandatory)  there is a whole process to create the CSR, then upload the signed cert from that CSR     under admin>> machine>> [machine name] >>  SSLCertificates    create a cert or use self signed.  Generate CSR ... Import SignedCert once your organization has given back .cer    Import Intermediate / Root/   then   EDIT machine to use new Web Server SSL Cert  under server machine properties.

you can also replace the two self generated certs for WABde with signed certs. (another strange process).

As far as what had happened for this posting, id have to go back to my notes.. was some time ago.

I am a fan of non-federated Portal (to avoid that user name costs)  use Web authentication on the adaptor, enable Web Tier authentication... makes for a seamless user experience.