ArcGIS Web Adaptor (IIS)to use Windows authentication
ArcGIS Serversecurity to use Windows Active Directory users and roles
- Review users and roles
- Configure administrator and publisher privileges for Active Directory users
- Set permissions for ArcGIS web services
- Test access to secured services
This tutorial demonstrates how to secure ArcGIS web services using Integrated Windows Authentication. This requires users and roles to be managed in a Microsoft Windows Active Directory server. It can be a convenient approach when you want your GIS users to take advantage of Windows domain accounts they already have on your network.
To use Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication.
If your log on settings deny login rights to the machine where Active Directory is hosted, you'll encounter an error when configuring security. It's not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.
To secure ArcGIS web services using Integrated Windows Authentication, follow these steps:
- Configure ArcGIS Web Adaptor (IIS) to use Windows authentication.
- Configure ArcGIS Server to use Windows Active Directory users and roles.
- Review users and roles.
- Configure Administrator and Publisher privileges for Active Directory users.
- Set permissions for services.
- Test access to secured services.
Configure ArcGIS Web Adaptor (IIS) to use Windows authentication
Integrated Windows Authentication requires web-tier authentication, and this must be done with ArcGIS Web Adaptor (IIS).The web adaptor relies on IIS to authenticate the user and provide the web adaptor with the account name of the user. Once it has the account name, it passes that to ArcGIS Server.
- Install ArcGIS Web Adaptor (IIS), following the instructions in Installing ArcGIS Web Adaptor (IIS).
- Configure Web Adaptor, following the instructions in Configuring ArcGIS Web Adaptor after installation.
- Set the authentication method for the web adaptor using IIS Manager.
- To open IIS Manager, click Start > Control Panel > Administrative Tools > Internet Information Services Manager.
- Under Sites, expand the left tree of IIS Manager. Expand Default Web Site to find the ArcGIS Web Adaptor (IIS) application. By default, ArcGIS Web Adaptor (IIS) is named arcgis.
- Edit the authentication property for the web adaptor. Deselect Anonymous authentication and select Windows Authentication.
- Close IIS Manager.
Configure ArcGIS Server security to use Windows Active Directory users and roles
To support Integrated Windows Authentication, configure ArcGIS Server to retrieve users and roles from a Windows Active Directory server.
- Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Logging in to Manager.
- Click Security > Settings.
- Click the Edit button next to Configuration Settings.
- On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
- On the Enterprise Store Type page, choose the Windows Domain option and click Next.
- On the Windows Domain Credentials page, provide the credentials for an account that has permissions to determine which groups users reside in. Click Next.
- On the Authentication Tier page, choose Web Tier.
- Review the summary of your selections. Click Finish to apply and save the security configuration.
Review users and roles
After configuring a Windows Active Directory domain as the user and role store, review the users and roles to make sure they were retrieved correctly. To add, edit, or delete users and roles, you need to use the tools available on the Active Directory server.
- In Manager, click Security > Users.
- Verify users have been retrieved as expected from the Windows domain server. If Active Directory has multiple domains, users from the domain that the GIS server machine belongs to are displayed. To view users from other domains, provide the search string [domain name]\ in the Find User field and click the Search button .
- Click Roles to review roles retrieved from the Windows domain server. If Active Directory has multiple domains, roles from the domain that the GIS server machine belongs to are displayed. To view roles from other domains, provide the search string [domain name]\ in the Find Role field and click the Search button .
- Verify the roles have been retrieved as expected.
Caching of users and roles
As of ArcGIS 10.5, users and roles from your Active Directory will be cached on the server after a request for users or roles. This optimizes the performance of your secure services. By default, the users and roles will be cached for 30 minutes. You can modify this time period by setting the minutesToCacheUserRoles property to another value in the ArcGIS Server Administrator Directory under system properties. You can also disable caching by setting the property to zero.
Configure administrator and publisher privileges for Active Directory users
Out of the box, ArcGIS Server only allows the primary site administrator access to the server. If you'll be using Active Directory users to administer ArcGIS Server or publish services, you need to follow the steps below.
- In ArcGIS Server Manager, click the Security tab and open the Users page.
- Using the Find User tool, locate the user to whom you want to assign administrator or publisher privileges. Review the roles that this user is a member of and choose the role that will be assigned administrator or publisher privileges.
- Open the Roles page and use the Find Role tool to locate the role chosen in the previous step.
- Click the Edit button next to the role.
- For the Role Type parameter, choose either Publisher or Administrator.
- Click Save to apply your changes.
Set permissions for ArcGIS web services
Once you've configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.
ArcGIS Server controls access to the GIS web services hosted on your server using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.
Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.
To set permissions for a service, see Editing permissions in Manager.
Test access to secured services
To test your setup, identify a Windows domain user account that has access to the root (site) folder containing your services. Log in to Windows using this user account, open a web browser, and access your ArcGIS Server WSDL:
Similarly, you can also view the Services Directory to verify access to secured services:
To determine which Windows domain users have access to the root folder, do the following:
- Log in to Manager and click Services.
- Click the Lock button next to the site (root) folder and identify roles that have been given permission to access this folder. If no roles currently have access, grant access to at least one role by clicking Add Role .
- Click Security > Roles and click the Edit button for the role that has access to the root folder.
- View the list of users that are members of this role.