AnsweredAssumed Answered

UserCredential concatenates @Domain in 100x

Question asked by jaarons47 on Oct 22, 2019
Latest reply on Nov 7, 2019 by Erick_Solis-esristaff

I am seeing behavior in 100.6 (probably there in all 100.x) where UserCredential concatenates @Domain onto the end of the username.  So if I do the following ...

 

UserCredential mAgencyCredentials = new UserCredential(Domain\mMouse, password);

 

mAgencyCredential immediately returns ..

 

"mMouse@domain"

 

in LogCat...

 

mAgencyCredentials = {UserCredential@12352}
mPassword = "obfuscated"
mReferer = null
mToken = null
mUsername = "mMouse@Domain"

 

In this case I am using the UserCredential to access an on premise feature service (shared via AGOL in our organization but the service itself is on an internal ArcGIS Server instance).

 

The username format causes us all sorts of problems from that moment forward as described below...

 

The behavior where the runtime SDK adds the @DOMAIN suffix to the user account is a problem with our 'stand alone' (not portal/server federated) ArcGIS Server environment.  This is similar to behaviors we noted in the MAR 2017 Esri Case #01907532 - "ArcGIS Server Token Authentication Login Format Issues".  
Here is the server authentication setup:
image.png
From the web-adaptor server, I enabled 'failed request tracing' rules to dump .xml log files for each request.  From that, I gather that the code did the following: 
  1. Client (mobile device) attempted access to https://www.example.com/arcgis/rest/services/folder/servicename/FeatureServer
  2. Server responded: 
    Buffer="{"error":{"code":499,"message":"Token Required","details":[]}}"
  3. Client requested https://www.example.com/arcgis/rest/info to obtain authentication information.  Server responded appropriately (isTokenBasedSecurity = True and token URL)
  4. Client made a request to https://www.example.com/arcgis/tokens/generateToken and supplied the username in the following format: username@DOMAIN  (ex: 'mMouse@Domain').  The @ was encoded to %40
  5. Server responded with a valid token
  6. Client then made a request to https://www.example.com/arcgis/tokens and supplied the username in the same 'username@DOMAIN' format.  Server again provided a token
  7. Client then made the same request as #1 but added the header X-Esri-Authentication with the value Bearer <TOKEN FROM the /arcgis/tokens url (second token request)
  8. Server responded with: 
    Buffer="{"error":{"code":-1,"message":"Unable to check permission on resource <Folder>/<Service>.mapserver.Failed to compute the privilege for the user '<USERNAME>@<DOMAIN>'. Could not find user account in the Identity Store.","details":[]}}"
  9. Furthermore, the ArcGIS Server logs return:   Blocked out actual username but would be "mMouse@Domain



Outcomes