Skip to main content
Question

FME Form + ArcGIS Enterprise Portal 12.0: Web Connection fails when IWA is enabled (branched feature services)

  • April 10, 2026
  • 4 replies
  • 78 views
craniumak
Contributor
Forum|alt.badge.img+4

I am in the process of deploying a new GIS platform (~250 users) and need FME Form to connect to branched versioned feature services hosted in our ArcGIS Enterprise Portal 12.0. When Integrated Windows Authentication (IWA) is enabled on the Portal (to allow seamless sign‑in on the network), FME cannot authenticate the web connection.

Environment / what works vs. fails:

  • FME Form reader: Esri ArcGIS Feature Service
  • FME Web Connections tried: Esri ArcGIS Enterprise OAuth and Esri ArcGIS Portal token
  • Both succeed when IWA is disabled
  • Both fail when IWA is enabled (FME can’t establish the Portal connection)

Goal: Ideally keep IWA for user convenience and allow FME to run reconcile/post workflows against branched feature services. If the only practical path is to have users sign in and “remember credentials,” we can accept that, but I am hoping for a better solution.

Questions:

  1. Does FME Form support connecting to Portal secured with IWA, and if so, what specific Web Connection setup is required?
  2. Are there known workarounds (e.g., alternate Web Adaptor/Portal auth provider for service accounts, OAuth app registration settings, proxy headers, or FME-specific/portal setting configurations) that let FME authenticate while IWA remains on?
  3. Any best practices for FME against branched versioned services under IWA (service accounts vs. named users, token lifetimes, scheduled automations)?

Appreciate any insight, examples, or docs others have used to make this work. Thanks!

 

Dave

    4 replies

    hkingsbury
    Celebrity
    Forum|alt.badge.img+70
    • hkingsburyCelebrity
    • Celebrity
    • April 12, 2026

    At the machine level FME (the executable, not form/flow) runs as its own service account - it doesn’t use the account that the user authenticated with via IWA.

    So if the process is using IWA, then when it runs, it uses the service account running FME to authenticate. This means that a user building a process on Form will be able to read/write to Portal via IWA and it will show up on Portal as them performing the action.

    When this process is published to Flow, it will try to use the FME (windows) service account to try and authenticate.

     

    With Flow, you need to treat it more as an app to app authentication (FME Flow is Authorised with Portal) rather than a User to Item authentication

    ebygomm
    Evangelist
    Forum|alt.badge.img+48
    • ebygommEvangelist
    • Evangelist
    • April 14, 2026

    A couple of questions - what version of the Esri ArcGIS Connector package have you got installed?

    For Esri ArcGIS Feature Service you need to be using Esri ArcGIS Generate Token (safe.esri-agol) for a token connection. I didn’t think it was possible to select an Esri ArcGIS Portal token web connection if the format was set to Esri ArcGIS Feature Service? I’m afraid i don’t know how this ties in with IWA. I would have expected the token connection to be independent of that.

     

     

    craniumak
    Contributor
    Forum|alt.badge.img+4
    • craniumakContributor
    • Author
    • Contributor
    • April 14, 2026

    A couple of questions - what version of the Esri ArcGIS Connector package have you got installed?

    For Esri ArcGIS Feature Service you need to be using Esri ArcGIS Generate Token (safe.esri-agol) for a token connection. I didn’t think it was possible to select an Esri ArcGIS Portal token web connection if the format was set to Esri ArcGIS Feature Service? I’m afraid i don’t know how this ties in with IWA. I would have expected the token connection to be independent of that.

     

     

    I updated to the latest release from April 8th. I tried several web connection methods, including generating a token, but it still isn’t working correctly with IWA enabled. While I’d prefer users to be automatically signed in, the reality is that the best practice is to log in and use two‑factor authentication anyways. I’ll work with a middle‑ground solution for now until I can implement something more permanent down the road.

    crystalwang
    Safer
    Forum|alt.badge.img+21

    Hi ​@craniumak,

    Thank you for the details on this thread.

    Does your environment support Kerberos or NTLM? If so, in the reader/writer parameters, you could use (set Source Type to Enterprise):

    • Kerberos - Authentication -> “Authentication Type == Kerberos”, no additional web connection needed
    • NTLM - Authentication -> “Authentication Type == Web Connection”, Add a web connection using the ‘Esri ArcGIS Login’ web service, and ensure the web connection authentication method is set to ‘NTLM’

    These are the methods that the Esri ArcGIS package supports when it comes to ArcGIS Enterprise and IWA.

    Hope this helps!

    Community Stats

    32,527
    Posts
    123,530
    Replies
    40,749
    Members
    Terms & ConditionsAccessibility statement
    A product of
    Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.