Using Windows Domain Authentication breaks everything!

ThomasColson · ‎04-05-2013

With the following set up:

MS SQL 2008 R2

A versioned feature class

Windows ACL Group "Users" mapped to DBO and full control of all tables

Users in "Users" can access and adit the FC through Arc Map

SQL Geodatabase successfully registered and validated in the data store

Arc GIS Server

Windows Domain User Store

Windows Domain Role Store

Authentication Tier = Web

Authentication Mode = Web

The "Users" group has been granted access through web-based ArcGIS Server Manager to:

A map service

a Geodata service

IIS

Anon Authentication Disabled

Windows Authentication Enabled

A folder called "Folder" to which the "Users" group has been granted access

This setup has worked well for non-SQL-backed map and geodata services. Here's the problem:

I create a simple flexviewer app (3.2) with the feature service, using http://localhost/arcgis/rest/services/CRGIS_EDIT/

In the "Preview" tab I can successfully view and edit the data, everything works peachy

config.xml reflects "localhost", so in order to see the app from another computer, I edit config.xml to read http://[FQDN]/arcgis/rest/services/CRGIS_EDIT/FeatureServer/0

Which returns the following error:

Architectural Survey Line layer failed to load: Fault code: Channel.Security.Error
Fault info: Security error accessing url
Fault details: Destination: DefaultHTTP

Research suggests I should be using Crossdomain.xml, which I've copied to just about every single folder there is, same problem.

When using http://[FQDN]/arcgis/rest/services/CRGIS_EDIT/ to define the operational layer in the Flexviewer builder, using the ArcGIS admin account or my windows account will allow access to the service.

I can view http://[FQDN]/arcgis/rest/services from any browser, any computer, no problem.

Clearly I'm missing something obvious here, what is it? We cannot use local security per organizational policy, it's Windows AD or nothing. Thanks!

ThomasColson · ‎04-05-2013

So I have managed to resolve most of these problems, but at the expense of a new one...which I'm posting over in the flex thread.