I apologize if I don't use the right terminology here, I'm not usually involved in the ArcMap side of our map interaction.
The basic issue here is that we have users who want to add layers from our Server into ArcMap. However, we have data that requires security based around our own third-party application, so we route their requests through a proxy that fetches their application user and verifies if they can access the service or not.
This works fine in Portal and most other use cases. However, ArcMap does not post data in a way we can interpret. While populating the Catalog tab, it posts standard SOAP requests- these we can check against easily enough. However, when they add a Map Service to their map, all of the layers on that Map Service are visible and will draw freely on the map with no regard to their authentication. Plus the data that is POST-ed to us is in some indecipherable form. It comes across with the header application/octet-stream and when we decode the bytes, it looks like the start of a soap request before rapidly dissolving into un-decodable characters.
The main thing I need to be able to know is what layer they are turning on/off or drawing for when ArcMap posts data to us in this way. Is there an object type I can try to parse the bytes into to get some usable data off of it? Is there something in the Result I can use to check against? Any insight into what happens in the network traffic once a Map Service has been added to the map would honestly be incredibly helpful.