Using Windows Active Directory and PKI to secure access—Portal for ArcGIS

When using Windows Active Directory to authenticate users, you can use a public key infrastructure (PKI) to secure access to your organization.

To use Integrated Windows Authentication and PKI, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your portal.

Configure your portal with Windows Active Directory

First, configure the portal to use SSL for all communication. Then update your portal's identity store to use Windows Active Directory users and groups.

Configure the organization to use HTTPS for all communication

Complete the following steps to configure the organization to use HTTPS:

Sign in to the organization website as an administrator.
The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.
Click Organization and click the Settings tab, and then click Security on the left side of the page.
Enable Allow access to the portal through HTTPS only.

Update your portal's identity store

Next, update your portal's identity store to use Active Directory users and groups.

Sign in to the ArcGIS Portal Directory as an Administrator of your organization.
The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.
Click Security > Config > Update Identity Store.
In the User store configuration (in JSON format) text box, paste your organization's Windows Active Directory user configuration information (in JSON format).
Alternatively, you can update the following sample with user information specific to your organization:
```
{
  "type": "WINDOWS",
  "properties": {
    "userPassword": "secret",
    "isPasswordEncrypted": "false",
    "user": "mydomain\\winaccount",
    "userFullnameAttribute": "cn",
    "userEmailAttribute": "mail",
    "userGivenNameAttribute": "givenName",
    "userSurnameAttribute": "sn",
    "caseSensitive": "false"
  }
}
```
In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, specify an account whose password does not expire.
In the rare case where your Windows Active Directory is configured to be case sensitive, set the caseSensitive parameter to true.
If you want to create groups in the portal that leverage the existing Active Directory groups in your identity store, paste your organization's Windows Active Directory group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. If you only want to use the portal's built-in groups, delete any information in the text box and skip this step.
Alternatively, you can update the following sample with group information specific to your organization.
```
{
  "type": "WINDOWS",
  "properties": {
    "isPasswordEncrypted": "false",
    "userPassword": "secret",
    "user": "mydomain\\winaccount"
  }
}
```
In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the names of Windows groups on the network. If possible, specify an account whose password does not expire.
Click Update Configuration to save your changes.
If you've configured a highly available portal, restart each portal machine. See Stop and start the portal for full instructions.

Add organization-specific accounts

By default, organization-specific users can access the ArcGIS Enterprise organization. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added and granted access privileges.

Add accounts to your organization using one of the following methods:

Individually or in bulk (one at a time, in bulk from a .csv file, or from existing Active Directory groups)
Command line utility
Automatically

It's recommended that you designate at least one organization-specific account as an Administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users will be able to sign in to the organization and access content.

Install and enable Active Directory Client Certificate Mapping Authentication

Active Directory Client Certificate Mapping is not available in the default installation of IIS. You must install and enable the feature.

Install Client Certificate Mapping Authentication

The instructions for installing the feature vary according to your operating system.

Install with Windows Server 2016

Complete the following steps to install Client Certificate Mapping Authentication with Windows Server 2016:

Open Administrative Tools and click Server Manager.
In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
Expand the Web Server and Security roles.
In the Security role section, select Client Certificate Mapping Authentication and click Next.
Click Next through the Select Features tab and click Install.

Install with Windows Server 2008/R2 and 2012/R2

Complete the following steps to install Client Certificate Mapping Authentication with Windows Server 2008/R2 and 2012/R2:

Open Administrative Tools and click Server Manager.
In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
Scroll to the Role Services section and click Add Role Services.
On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication and click Next.
Click Install.

Install with Windows 7, 8, and 8.1

Complete the following steps to install Client Certificate Mapping Authentication with Windows 7, 8, and 8.1:

Open Control Panel and click Programs and Features > Turn Windows Features on or off.
Expand Internet Information Services > World Wide Web Services > Security and select Client Certificate Mapping Authentication.
Click OK.

Enable Active Directory Client Certificate Mapping Authentication

After you install Active Directory Client Certificate Mapping, enable the feature by following the steps below.

Start Internet Information Server (IIS) Manager.
In the Connections node, click the name of your web server.
Double-click Authentication in the Features View window.
Verify that Active Directory Client Certificate Authentication is displayed. If the feature is not displayed or unavailable, you may need to restart your web server to complete the installation of the Active Directory Client Certificate Authentication feature.
Double-click Active Directory Client Certificate Authentication and choose Enable in the Actions window.

A message displays indicating that SSL must be enabled to use Active Directory Client Certificate Authentication. You'll address this in the next section.

Configure ArcGIS Web Adaptor to require SSL and client certificates

Complete the following steps to configure ArcGIS Web Adaptor to require SSL and client certificates:

Start Internet Information Services (IIS) Manager.
Expand the Connections node and select your ArcGIS Web Adaptor site.
Double-click Authentication in the Features View window.
Disable all forms of authentication.
Select your ArcGIS Web Adaptor from the Connections list again.
Double-click SSL Settings.
Enable the Require SSL option, and choose the Require option under Client certificates.
Click Apply to save your changes.

Verify you can access the portal using Windows Active Directory and PKI

Complete the following steps to verify you can access the portal using Windows Active Directory and PKI:

Open the ArcGIS Enterprise portal.
The URL is in the format: https://organization.example.com/<context>/home.
Verify that you are prompted for your security credentials and can access the website.

Prevent users from creating their own built-in accounts

You can prevent users from creating their own built-in accounts by disabling the ability for users to create new built-in accounts in the organization settings.

Feedback on this topic?