Workflows and AD secured AGS service
Is there a trick to being able to run a workflow which accesses an ArcGIS Server service which has been secured with Web Tier Windows Authentication (using Active Directory)?
I can add the service to my site just fine, but when I try to run a simple workflow that queries the secure layer, it throws the error:
There was a workflow error running activity: Exception has been thrown by the target of an invocation. Workflow 'test' failed Unhandled exception: 'One or more errors occurred.' in activity '1.5: QueryTask'. One or more errors occurred. Unable to check permission on resource foo/parcel.mapserver.Failed to compute the privilege for the user 'DOMAIN\COMPUTERNAME$'. Could not find user account in the Identity Store.
It looks like it's trying to use the credentials of the App Pool instead of the end user's credentials. Do workflows work okay with AD secured map services?
0
-
I also have had this issue, just when saving edits to a ArcGIS sercured service. The sollution for me was the following:
Go in restmanager to the mapservice, and choose Edit map service. Then in de details tab, at the bottom, there is a section Security. Set the cursor in the field Security Provider Name, there come 2 possibilities. Choose the default one:
Geocortex.Essentials.Proxy.DefaultMapServiceSecurityProvider, Geocortex.Essentials, Version=4.4.2.21, Culture=neutral, PublicKeyToken=582fec6ec4c8784f
Then Apply details and Save.
I hope this works for you too.0 -
Just wondering if you found a solution Peter? I have the same scenario re Active Directory and Web Tier authentication, and get a similar error as you when running a query task. Except for me it is trying to use the 'IIS APPPOOL\EssentialsAppPool4' user to authenticate.
David0 -
@David,
I haven't had a chance to go back and work on this again recently. I'll have to give the solotion that @Veerle suggested and see if that works.
Peter0 -
Having the same issue - Veerle I'm working on your suggestion, but wanted to if the components in the Security Provider entry after the "Geocortex.Essentials.Proxy.DefaultMapServiceSecurityProvider" are universal? Specifically the PublicKeyToken? If not, where could that be generated? 0 -
I'm having the same issue as David. Did you ever get this resolved David? 0 -
Hi - yes I did. My services were in ArcGIS in a secured folder. I wanted it so that anyone logged in could see the services but had not done that correctly. It was secured but using a weird group instead of the All logged in users option. Once I made that change to allow all logged in users the error went away. Check your ArcGIS Server sercurity I suggest. 0 -
Thanks for your response David. I do have the service secured and your suggestion works. Unfortunately there are other agencies on the domain and we need to restrict this service and data to just our agency via a group(s). Unfortunately the quety isn't using the logged in user to authenticate with. I'll continue to expirement with the security to see if there's another way around it. 0 -
Have you made any further progress on your research on this Waylon? I'm getting the same error, but my feature service is set to public, available to everyone. I'm thinking it's the way Geocortex is passing this through the web adaptor that is causing the issue, but i can't troubleshoot it properly. 0 -
Hi,
Just to clarify, server side workflow activities do run as the IIS Application Pool Identity and do not support Impersonation. There isn't anyway to have the identity of the user accessing the viewer passed through to the Application Pool. The only work around is to change the identity of the REST application pool to a domain service account. See the attached screenshot.
_img_ alt="User-added image" src="https://latitudegeo--c.na53.content.force.com/servlet/rtaImage?eid=907f20000000SFp&feoid=Body&refid=0EMf2000000E3tv" _/_img_
Thanks,
Mike Ketler0 -
Hi Mike
Do you have any idea if you are going to support impersonation in the future. We are using editor tracking on our feature classes and uses feature services in Geocortex. If I create a new feature using the toolbar then my user information is correct (the user logged into the client). But if I updates a feature using the updateFeature activity from a workflow then the user info in "las_edited_user" is "IIS APPPOOL\EssentialsAppPool4".
I would be great if we could take advantage of both workflow activities and esri editor tracking at the same time.
- Jesper0 -
Hi Jesper,
I've just checked with our Essentials team lead, and this is not something that is planned for Essentials workflows. He did point out, however, that in Geocortex Workflow, edits done by the workflow are executed in the web browser, so you would get user tracking that way.0 -
Hi all,
I've encountered a strange issue where I changed the Essentials app pool to run under a domain user, then set it back to what it was before (NetworkService), however now I'm getting this error.
Is there anything else I need to set upon changing the app pool's identity back from a domain user to this local user? I've tried running the post install again but that hasn't helped.
Thanks
Rob0 -
Hello!
After scouring through the site for answers Jordan's comment seems to be the only response from Latititude on this issue. However, I just want to get a confirmation on the following just to be sure that it is still not supported:
Can you confirm: "Editor Tracking with secured ArcGIS Server services using the web-tier windows user identity is not supported while editing through workflows"
If it is supported: the question is - What configuration is needed for ArcGIS Web Adaptor, ArcGIS Server security, IIS and GeoCortex Essentials as well as services added to the map?
Our client is seeking an answer to this question and I am sure it will help other users to have a definitive answer as well.
Thank you.0 -
Hi,
You can tell which activities in the original Workflow are server-side vs client side by checking if they have they debug option in the Workflow Designer. If they have the debug option, then they are client side. Unfortunately, the Add/Update Features activities are server side and as such do not support impersonation.
The only way I know of to get Feature Editor Tracking to work requires you to use the OTB Feature Editing tools in the viewer itself not through a Workflow.
Note, I haven't tested for Feature Editor Tracking in Workflow 5 which is 100% client side.
Thanks,
Mike Ketler0 -
Can anybody explain how you are using "Editor Tracking with Secured ArcGIS Services with Geocortex viewer".
Thanks,
Muhammad Almas0 -
Hi everyone, we use Windows Authentication on both Essential Manager and our ArcGIS Server (via ArcGIS Web Adaptor) and have anonymous access disabled, all server in the same domain.
I'm wondering if it is still "no go" for Workflow4 to support Impersonation, the only solution is to make EssentialsREST‘s application identify a domain user account that have access to all map services.
BTW, is that same idea if I want to add a WA secured map service without enter my windows username and password again, I have to make EssentialsRestManger application identity a domain user account that have access to the map service. As if I don’t do that, the Essential Manager can’t connect or find the service. How can I i mpersonate the user that logged in to Essential Manager and to HTML5 viewer so the request to the secured map services is made as the user rather than the EssentialsAdministrationAppPool4’s application identity. I thought the Windows Impersonation option under myserver/Geocortex/Essentials/RestManager/SecuritySettings/Edit supposed to do that but it seems not working in my case.
Meanwhile, I’m wondering why enable ASP.NET Impersonation of Essentials REST and RestManager didn’t impersonate the connected windows user. Aren’t they .NET applications ? If proxy is required, HTML5viewer shipped with proxy.ashx and proxy.config which can be configured to forward the credential https://docs.geocortex.com/essentials/gvh/2.12/install-help/Content/gvh/install/proxy-page.htm. EssentialsREST and RestManager don’t have these files…
_img_ alt="User-added image" src="https://latitudegeo--c.na53.content.force.com/servlet/rtaImage?eid=907f2000000KB4d&feoid=Body&refid=0EMf2000000qErU" _/_img_???????0
Please sign in to leave a comment.
Comments
16 comments