Unable to authenticate using IWA (401 error)

StephenM01 · ‎11-21-2022

I am updating some existing tools to leave out username and password from the GIS() method due to the the issue with IWA and OpenSSL 3.0 in ArcGIS Pro 3.0 (detailed here: https://support.esri.com/en/Technical-Article/000028494). When I do that, however, I get a 401 error and can't authenticate.

Here's an example where I'm just trying to update an item's summary and description (the service is on a federated server):

portal_url = r"https://portalurl.com/portal"
gis = GIS(portal_url)

upd_str = "Test string"
portal_item = gis.content.get(target_item)
print("Target item title: {}".format(portal_item.title))
portal_item.update(item_properties={'snippet': upd_str, 'description': upd_str})
print("Item summary and description updated")

Using that code I get the item title printed out, but then get "HTTP Error 401. The requested resource requires user authentication." It seems like this may be an issue with authenticating with the server, which is why I am able to get the item title but not update its properties.

Environment:

ArcGIS Enterprise 10.9.1 configured with Windows Authentication (IWA)
ArcGIS Pro 3.0.2
ArcGIS API for Python version 2.0.1

These tools worked perfectly when username and password were specified in the GIS() method. Anyone else come across this issue too or have any ideas?

AdamNellessen · ‎12-15-2022

I am running into a very similar situation; however, it is not exactly the same from a function or results standpoint. We have the same three environment components you described (Enterprise 10.9.1 with IWA, Pro 3.0.2, and ArcGIS API for Python 2.0.1). I am developing a tool which will allow users in a specific non-administrator role the ability to take ownership of an item if they and the original user are in the same corporate department (context outside of Portal but determined within the script).

I am able to not only authenticate to our Portal but perform searches (for users, items, and groups), create a folder in the target user's account, drop group sharing, re-assign the item (using the reassign_to function) to the target user, and reshare to the original groups. From a functional standpoint, the process works as the item is successfully reassigned to the target user in the expected folder; however, I am also receiving the 401 error. Commenting out just the 'item.reassign_to' step prevents the 401 error; however, the item is no longer reassigned.

I was wondering if you had opened a support ticket or otherwise discovered anything further.

StephenM01 · ‎12-15-2022

Interesting, sounds very similar. I haven't opened a support ticket yet. I ended up working around the issue by using the REST API instead of the Python API.

I found that using the REST API I could get and update item details just by using HttpNegotiateAuth(), but for applying edits to a feature service I needed to get a token and pass it in with the edit request.

# Update item summary and description
update_payload = {'snippet': 'Some text', 'description': 'Some text', 'f': 'json'}
update_request = requests.post(update_url, auth=HttpNegotiateAuth(), data=update_payload)

# Get a token
token_request = requests.post(token_url, auth=HttpNegotiateAuth(), data=token_payload)
tkn = token_request.json()['token']

# Update feature service using applyEdits
edits_payload = {'updates': updates, 'f': 'json', 'token': tkn}
edits_request = requests.post(edits_url, data=edits_payload)

I'm wondering if generating the token for the server could be the issue with the Python API. Doesn't seem like we should need a token since we're using IWA, but when I tried to apply edits without passing in a token I got a 499 "token required" error. I did come across this other post when I was researching this issue that seemed to have some similarities: python API fails with IWA for federated ArcGIS servers.