I'm doing my best to secure my AGS (9.3.1) services, but have struggled with tokens. As you can see, my nw account belongs to the agsadmin and agsusers roles:
I have assigned these same roles to my service and its containing folder:
Generating a token is no problem:
But alas, upon logging in to the REST interface, I am presented with this Unauthorized access message:
I found a post on the ESRI forums describing the same problem, but responses are inconclusive. ("Please make sure that the Security settings for this map service is correct.", blah blah.)
Has anyone encountered this? What could I be doing wrong?
Update: we have abandoned AGS-based security because of its many flaws and capricious inconsistencies. Beware!
Best Answer
If you use Fiddler when you are firing a token authentication you can see the response (403 Forbidden etc).
I used this when first setup FME Server with security - this uses the same Token method and is not unique to ArcGIS REST but REST with security. It is likely to be either software security issues or the webserver refusing the users request.
This Token Security (via proxy) on an ArcGIS Server (Javascript) might be useful for your application http://forums.arcgis.com/threads/33714-Token-Security-on-an-ArcGIS-Server-%28Javascript%29