arcgis-serverauthenticationjavascriptwindows
I am using the ArcGIS Javascript API to consume a feature layer on an ArcGIS Server secured with Windows Authentication. I want to satisfy the authentication programmatically so the web user isn't prompted with a login.
I've poked around the web and seen something about downloading an ASP.NET proxy page, but it is from the 9.3 section of the online ESRI resources. I'm just wondering if there is a different way to do it in 10.x versions?
When you connect to a secured web site with a non-IE Browser, the login credentials you use will be re-used when you connect to the same web site.
If you are using two different web sites, then the user will be prompted again when their browser tries to connect to the second web site.
You are certainly able to generate a token for a client to consume later. However, I would recommend just using the integrated authentication for both your viewer and the ArcGIS Server, as generating a token on-the-fly will sometimes lead to problems if the client does not provide sufficient information for your to generate the token. (for example, Silverlight running in Firefox will not provider a Referer header if the request was a GET)
Here's how my test machine is set up for Windows authentication:
I finally found what I was looking for: a proper ArcGIS Server web endpoint that I could use to generate tokens!
The call is this:
GET http://<arcgisserver_host:port>/arcgis/tokens?request=getToken&username=<usr>&password=<usr>&expiration=<token_lifespan>
which gives back the token into the HTTP response body, and one can send it along to any further request to secured resources without being prompted for credentials again. The token must be the value for the Cookie request header, as it is currently stored into a cookie on the client side.
But...damn! This token generator is NOT part of the ArcGIS Server REST API!!! I couldn't find it in the online API documentation! Where in the world could I found it???
This means that ArcGIS Server does not have a RESTful authentication framework.
In example, if we have this mapservice exposed under the ArcGIS REST API: /arcgis/rest/services/myDir/myMapService/MapServer/layers and we try to GET this resource, what we get from ArcGIS Server is a response having a 200: OK status code and an HTML document in the body (the HTML is a login form). From a would-be-RESTful login, I would expect that the request gave me back a 401: Authentication Required status code along with a WWW-Authenticate header...
I tested this whole thing out myself using a REST client program.
Best Answer
A proxy page can also be used to bypass an authenticated service with 10.x versions of the APIs.
A few things to note:
Windows Authentication is normally used on an internal network only, where you may take advantage of the integrated login, and bypass the login prompt that way. If your users are on the internal network, and have already logged on to the domain on their workstation, they shouldn't be challenged by a login prompt (IIS should already have handled that!)
Users that are not logged on to the network already, such as external users being directed to the Windows-secured server, will always be presented with a login prompt. There is no way to apply the login in the background once this prompt appears - its presence indicates that the background login attempt has already failed.