Web Tier Authentication issue

Permanently deleted user

January 31, 2019 16:10

Hello,

 

 

 

I have a service that has been protected in AGS with Web Tier using Active Directory users.

 

 

 

It shows on my viewer no issues but I have a workflow that has a querytask and it doesn't recognize the user (says Authentication Failed).

 

 

 

I tried on a javascript (via a $.getJSON call) to make the call to the service and it works (it recognizes the user client side) but seems that once it starts the workflow it loses reference to that user.

 

 

 

I already tried making the app pool using a Domain user to no avail.

 

 

 

Can anyone help me, please?

 

 

 

Thanks

0

• 

  Permanently deleted user

  January 31, 2019 16:14

  Hi Ricardo,

   

  Is the QueryTask using a token?  The token would come from a GetMapService activity (or a GenerateToken activity) earlier up in the workflow.

   

  Regards,

   

  Wayne

  0
• 

  Permanently deleted user

  January 31, 2019 16:40

  The service is secured with Web Tier, not token. 

   

  As far as I know Web Tier with Active Directory protected ArcGis Services don't accept tokens. The AD user should get SSO access to them.

   

   

  0
• 

  Kevin Rathgeber

  January 31, 2019 19:06

  I have been told this is a limitation of the workflow.  While you can get into workflow as a specific user the ability to act as that user (impersonation/delegation) beyond that point ends there.  For example we have wanted to use the logged in user to make a SQL Server call but it will not do the integrated connection to the SQL server with that account.  What it will try to do is connect as the user running the application pool for Essentials.  In our case because we run web farms we have a domain account configured in our Application Pools.  We then can grant that user access.

   

  In the past, to do secure connections outside the workflow we use the users claims information and checking group membership.  If they are in an appropriate group, make the call, if not don't allow it.

  0
• 

  Kevin Rathgeber

  January 31, 2019 19:07

  PS: I would love to be able to do impersonation/delegation from the workflow out to other systems.

  0
• 

  Permanently deleted user

  February 01, 2019 10:11

  I tried passing my user (Domain account) as the runner of the Application Pool for REST and RestManager but to no avail.

   

  Still get the same error. You mean changing the identity of the user running the app pool right?

  0
• 

  Permanently deleted user

  February 01, 2019 10:15

  Since we're at this, is there an easy way to see effectively what App Pool is running the Workflow?

  0
• 

  Nico Burgerhart

  February 01, 2019 14:01

  Place the following in an Alert or Log activity in your workflow to get the user: System.Environment.Username

   

   

  0

Please sign in to leave a comment.