Skip To Content

Using Windows Active Directory and PKI to secure access

When using Windows Active Directory to authenticate users, you can use a public key infrastructure (PKI) to secure access to your organization.

To use Integrated Windows Authentication and PKI, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your portal.

Configure your portal with Windows Active Directory

First, configure the portal to use SSL for all communication. Then update your portal's identity store to use Windows Active Directory users and groups.

Configure the organization to use HTTPS for all communication

Complete the following steps to configure the organization to use HTTPS:

  1. Sign in to the organization website as an administrator.

    The URL is in the format https://webadaptorhost.domain.com/webadaptorname/home.

  2. Click Organization and click the Settings tab, and then click Security on the left side of the page.
  3. Enable Allow access to the portal through HTTPS only.

Update your portal's identity store

Next, update your portal's identity store to use Active Directory users and groups.

  1. Sign in to the Portal Administrator Directory as an administrator of your organization.

    The URL is in the format https://webadaptorhost.domain.com/webadaptorname/portaladmin.

  2. Click Security > Config > Update Identity Store.
  3. In the User store configuration (in JSON format) text box, paste your organization's Windows Active Directory user configuration information (in JSON format).

    Alternatively, you can update the following sample with user information specific to your organization:

    {
      "type": "WINDOWS",
      "properties": {
        "userPassword": "secret",
        "isPasswordEncrypted": "false",
        "user": "mydomain\\winaccount",
        "userFullnameAttribute": "cn",
        "userEmailAttribute": "mail",
        "userGivenNameAttribute": "givenName",
        "userSurnameAttribute": "sn",
        "caseSensitive": "false"
      }
    }

    In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, specify an account whose password does not expire.

    In the rare case where your Windows Active Directory is configured to be case sensitive, set the caseSensitive parameter to true.

  4. To create groups in the portal that leverage the existing Active Directory groups in your identity store, paste your organization's Windows Active Directory group configuration information (in JSON format) in the Group store configuration (in JSON format) text box as shown below. To use the portal's built-in groups, delete any information in the text box and skip this step.

    Alternatively, you can update the following sample with group information specific to your organization.

    {
      "type": "WINDOWS",
      "properties": {
        "isPasswordEncrypted": "false",
        "userPassword": "secret",
        "user": "mydomain\\winaccount"
      }
    }

    In most cases, you'll only need to alter values for the userPassword and user parameters. Although you type the password in clear text, it will be encrypted when you click Update Configuration (below). The account you specify for the user parameter only needs permissions to look up the names of Windows groups on the network. If possible, specify an account whose password does not expire.

  5. Click Update Configuration to save your changes.
  6. If you've configured a highly available portal, restart each portal machine. See Stop and start the portal for full instructions.

Add organization-specific accounts

By default, organization-specific users can access the ArcGIS Enterprise organization. However, they can only view items that have been shared with everyone in the organization. This is because the organization-specific accounts have not been added and granted access privileges.

Add accounts to your organization using one of the following methods:

It's recommended that you designate at least one organization-specific account as an administrator of your portal. You can do this by choosing the Administrator role when adding the account. When you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Once the accounts have been added and you complete the steps below, users can sign in to the organization and access content.

Install and enable Active Directory Client Certificate Mapping Authentication

Active Directory Client Certificate Mapping is not available in the default installation of IIS. You must install and enable the feature.

Install with Windows Server 2016

Complete the following steps to install Client Certificate Mapping Authentication with Windows Server 2016:

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Expand the Web Server and Security roles.
  4. In the Security role section, select Client Certificate Mapping Authentication and click Next.
  5. Click Next through the Select Features tab and click Install.

Install with Windows Server 2019 or 2022

Complete the following steps to install Client Certificate Mapping Authentication with Windows Server 2019 or 2022:

  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager Dashboard, click Add roles and features.
  3. Accept the default settings and click Next on the Before You Begin, Installation Type, and Server Selection pages.
  4. On the Server Roles page, enable Web Server (IIS) and click Next.
  5. On the Features page, click Next.
  6. On the Web Server Role (IIS) page, click Next.
  7. On the Role Services page, expand the Security section.
  8. In the Security section, select IIS Client Certificate Mapping Authentication and click Next.
  9. On the Confirmation page, click Install.

Enable Active Directory Client Certificate Mapping Authentication

After you install Active Directory Client Certificate Mapping, complete the following steps to enable the feature:

  1. Start Internet Information Server (IIS) Manager.
  2. In the Connections node, click the name of your web server.
  3. Double-click Authentication in the Features View window.
  4. Verify that Active Directory Client Certificate Authentication is displayed. If the feature is not displayed or unavailable, you may need to restart your web server to complete the installation of the Active Directory Client Certificate Authentication feature.
  5. Double-click Active Directory Client Certificate Authentication and choose Enable in the Actions window.

A message appears indicating that SSL must be enabled to use Active Directory Client Certificate Authentication. You'll address this in the next section.

Configure ArcGIS Web Adaptor to require SSL and client certificates

Complete the following steps to configure ArcGIS Web Adaptor to require SSL and client certificates:

  1. Start Internet Information Services (IIS) Manager.
  2. Expand the Connections node and select your ArcGIS Web Adaptor site.
  3. Double-click Authentication in the Features View window.
  4. Disable all forms of authentication.
  5. Select your ArcGIS Web Adaptor from the Connections list again.
  6. Double-click SSL Settings.
  7. Enable the Require SSL option, and choose the Require option under Client certificates.
  8. Click Apply to save your changes.
Note:

For client certificate authentication (PKI) to work on Microsoft Windows Server 2022, TLS 1.3 must be disabled under the HTTPS site bindings.

Verify you can access the portal using Windows Active Directory and PKI

Complete the following steps to verify you can access the portal using Windows Active Directory and PKI:

  1. Open the portal.

    The URL is in the format: https://organization.example.com/<context>/home.

  2. Verify that you are prompted for your security credentials and can access the website.

Prevent users from creating their own built-in accounts

You can prevent users from creating their own built-in accounts by disabling the ability for users to create built-in accounts in the organization settings.