You can configure web-tier authentication for your ArcGIS Server site using Integrated Windows Authentication. This requires users and roles to be managed in an Active Directory server. It can be a convenient approach when you want your users to take advantage of Windows domain accounts they already have on your network.
Note:
If your ArcGIS Server site is federated with a portal, you must secure access through the portal rather than using the steps in this topic. See Use Integrated Windows Authentication with your portal for details.
To use Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication.
If your log-in settings deny log-in rights to the machine where Active Directory is hosted, you'll encounter an error when configuring security. It's not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.
To configure Integrated Windows Authentication with your server site, follow these steps:
- Configure ArcGIS Web Adaptor (IIS) to use Windows authentication.
- Configure ArcGIS Server to use Windows Active Directory users and roles.
- Review users and roles.
- Configure Administrator and Publisher privileges for Active Directory users.
- Set permissions for services.
- Test access to secured services.
Configure ArcGIS Web Adaptor (IIS) to use Windows authentication
Integrated Windows Authentication requires web-tier authentication, and this must be done with ArcGIS Web Adaptor (IIS).The web adaptor relies on IIS to authenticate the user and provide the web adaptor with the account name of the user. Once it has the account name, it passes that to ArcGIS Server.
- Install ArcGIS Web Adaptor (IIS), following the instructions in Installing ArcGIS Web Adaptor (IIS).
- Configure Web Adaptor, following the instructions in Configuring ArcGIS Web Adaptor after installation.
Note:
When configuring ArcGIS Web Adaptor, you must enable administration through the Web Adaptor. This allows users in Windows Active Directory to publish services from ArcMap. When the users in these roles connect to the server in ArcMap, they must specify the Web Adaptor URL.
- Set the authentication method for the web adaptor using IIS Manager.
- To open IIS Manager, click Start > Control Panel > Administrative Tools > Internet Information Services Manager.
- Under Sites, expand the left tree of IIS Manager. Expand Default Web Site to find the ArcGIS Web Adaptor (IIS) application. By default, ArcGIS Web Adaptor (IIS) is named arcgis.
- Edit the authentication property for the web adaptor. Deselect Anonymous authentication and select Windows Authentication.
- Close IIS Manager.
Configure ArcGIS Server security to use Windows Active Directory users and roles
To support Integrated Windows Authentication, configure ArcGIS Server to retrieve users and roles from a Windows Active Directory server.
- Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Log in to Manager.
- Click Security > Settings.
- Click the Edit button next to Configuration Settings.
- On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
- On the Enterprise Store Type page, choose the Windows Domain option and click Next.
- On the Windows Domain Credentials page, provide the credentials for an account that has permissions to determine the groups in which users reside. Click Next.
Note:
It is recommended that you specify an account with a password that does not expire. If this is not possible, you'll need to repeat the steps in this section each time the password is changed.
- On the Authentication Tier page, choose Web Tier.
- Review the summary of your selections. Click Finish to apply and save the security configuration.
Review users and roles
After configuring a Windows Active Directory domain as the user and role store, review the users and roles to make sure they were retrieved correctly. To add, edit, or delete users and roles, you need to use the tools available on the Active Directory server.
- In Manager, click Security > Users.
- Verify users have been retrieved as expected from the Windows domain server. If Active Directory has multiple domains, users from the domain that the GIS server machine belongs to are displayed. To view users from other domains, provide the search string [domain name]\ in the Find User field and click the Search button .
- Click Roles to review roles retrieved from the Windows domain server. If Active Directory has multiple domains, roles from the domain that the GIS server machine belongs to are displayed. To view roles from other domains, provide the search string [domain name]\ in the Find Role field and click the Search button .
- Verify the roles have been retrieved as expected.
Note:
At 10.3.1 and later versions, ArcGIS Web Adaptor (IIS) has properties to configure options related to Active Directory authentication. See Configure ArcGIS Web Adaptor memory cache options in the Web Adaptor (IIS) help for details.
Caching of users and roles
As of 10.5, users and roles from your Active Directory will be cached on the server after a request for users or roles. This optimizes the performance of your secure services. By default, the users and roles will be cached for 30 minutes. You can modify this time period by setting the minutesToCacheUsersAndRoles property to another value in the ArcGIS Server Administrator Directory under system properties. You can also disable caching by setting the property to zero.
Configure administrator and publisher privileges for Active Directory users
Out of the box, ArcGIS Server only allows the primary site administrator access to the server. If you'll be using Active Directory users to administer ArcGIS Server or publish services, you need to follow the steps below.
- In ArcGIS Server Manager, click the Security tab and open the Users page.
- Using the Find User tool, locate the user to whom you want to assign administrator or publisher privileges. Review the roles of which this user is a member and choose the role that will be assigned administrator or publisher privileges.
- Open the Roles page and use the Find Role tool to locate the role chosen in the previous step.
- Click the Edit button next to the role.
- For the Role Type parameter, choose either Publisher or Administrator.
- Click Save to apply your changes.
Set permissions for ArcGIS web services
Once you've configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.
ArcGIS Server controls access to services using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.
To change the permissions for a service, see Control access to your services.
Note:
When browsing ArcGIS Server Manager using Integrated Windows Authentication, the Sign Out link is no longer visible. This is because the user running the web browser is logged in automatically by the operating system. To run the browser as another user, you can use the Windows Run as command option. To do this, locate the program shortcut on the Start menu, hold down the Shift key, right-click the program, and choose Run as different user.
Test access to secured services
To test your setup, identify a Windows domain user account that has access to the root (site) folder containing your services. Log in to Windows using this user account, open a web browser, and access your ArcGIS Server WSDL:
https://webadaptorhost.domain.com/webadaptorname/services?wsdl
Similarly, you can also view the Services Directory to verify access to secured services:
https://webadaptorhost.domain.com/webadaptorname/rest/services
Note:
When browsing the Services Directory using Integrated Windows Authentication, the Logout link is no longer visible. This is because the user running the web browser is logged in automatically by the operating system. To run the browser as another user, you can use the Windows Run as command option. To do this, locate the program shortcut on the Start menu, hold down the Shift key, right-click the program, and choose Run as different user.
To determine which Windows domain users have access to the root folder, do the following:
- Log in to Manager and click Services.
- Click the Lock button next to the site (root) folder and identify roles that have been given permission to access this folder. If no roles currently have access, grant access to at least one role by clicking Add Role .
- Click Security > Roles and click the Edit button for the role that has access to the root folder.
- View the list of users who are members of this role.