Security for services without login?

JennyKlantskalle · ‎01-29-2012

I'm working on an Intranet map using rest services in Arcgis Server 10 and javascript 2.5.
My client decided that some of the services must be secure and not visible to all users. Preferably the user should not have to login in to the map. Users are already set up in Windows accounts and the same roles in windows could be applied.
I have found some information in http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/index.html#//0093000000pz...

For now the services are permitted to everyone inside the local network but as more complex data is added and in a future editing will be permitted to some users it needs to be secured for some services.

snip
The user can either be automatically authenticated based on the operating system login, or the user may see a pop-up login dialog box.
end snip

But how do I control this in my javascript code?
Am I right when assuming that if I want to use a dialog box I could use IdentityManager? But does Identity manager work when I don't have token based security?
And the main thing - if I don't want to use log in dialog box- how does that work?

nicogis · ‎01-29-2012

if you have two type security: based on token and windows authetication you must have two instance for arcgis server ( see http://help.arcgis.com/en/arcgisserver/10.0/help/arcgis_server_dotnet_help/0093/0093000000pt000000.h...)
IdentityManager is a shortcut for require token on the fly so if you don't set it you can use proxy or write code. If you have windows authentication if you are in your computer and you have permission ok (no windows login) otherwise you are shown window form login.

AxelSchaefer · ‎01-30-2012

One additional hint if you are using windows authentication: In Internet Explorer, the authenticated user is passed automatically to the webapplication. Firefox is asking for user-credentials (the domain/workgroup user). You can avoid that with an entry in Firefox' about:config. See here: http://kb.mozillazine.org/Network.automatic-ntlm-auth.trusted-uris

JennyKlantskalle · ‎01-30-2012

Domenico: Thanks for your answer. It was very helpful!
If I understand you correctly the login window is shown automatically if the setting is "no automatical windows authentication". Is it the browser, the server or window that sends the request for login? And I don't have to be concearned at all about the login? But if login fails?
Sorry for throwing all these questions at you, but I really have difficulty finding the answers in the documentation...

Axxl: A very useful hint about Firefox. My map is both nicer looking and faster using Firefox, so it was fantastic new to hear the we won't be restricted to IE if we want the automatical login!

JohnStreeb · ‎01-31-2012

Just so you know, Chrome also automatically passes windows authentication.
If you are using IIS and you want the services to validate against their windows user they are logged in as to determine what they see and what they don't:
In Server Manager make sure the security is set to windows authentication, and add the appropriate groups to the various services you want them to have access to.
Also, make sure in IIS the ArcGIS Server instance is set to "Windows Authentication" enabled (if you are only using this on a windows based intranet and no one needs external web access, you can turn off all other authentication modes).

I have my server set up in an intranet environment and it works without any log-in necessary. I just have them open up the url for the web application in IE or Chrome (I didn't realize you could configure firefox to handle windows authentication behind the scenes) and when it reaches the point in the javascript code where it requests a particular arcgis server service IIS challenges the browser for credentials, which if it's set to windows authentication are passed automatically, and it displays the service in the application (shows that layer on the map), and continues loading the rest of the application. If they do not have the rights to that service, depending on how you include the call to the map/feature service, it may or may not continue loading the application, just without any connection to the data/service itself. Of course, another option would be to add role based security to the application itself via IIS/Windows Explorer by giving some groups access to the application files and denying other groups access. In that case, when they tried hitting the url for the application, IIS would check and would allow them or deny them access. If denied, depending on the browser, it may either present them a username/password log-in box, or simply display an error page saying they don't have the rights to access that page.

Don't know if any of that helps, but if if does, there you go...

Hernando_CountyProperty_Apprai · ‎11-14-2014

I hope I am understanding this correctly. So you are saying that you have a secured map service (secured through the ArcGIS Server Manager such that is you were to try and access the URL of the service it would challenge you for a username and password). You then have an application that is secured by windows authentication. When they run the application in IE and it gets to the code where the URL for the service is being called, it doesn't challenge them for a username and password because windows authentication is in place and that passes the username and password into the map service?

Hernando_CountyProperty_Apprai · ‎11-14-2014

This does not work for me. My setup: Windows Authentication on the application that calls the secured map service: Secured map service using Active Directory. When I run the application in Firefox I am challenged for a username and password. I enter my windows username and password and the map is displayed. When the map gets to the point of calling the secured service I am challenged again for a username and password. I use the same username and password that I used when challenged before and the map is displayed correctly.

What I want the application to do is pass my windows username and password to the secured service so that it does not challenge me a 2nd time.