SASL authentication—Portal for ArcGIS | Documentation for ArcGIS Enterprise

Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in internet protocols. As of 10.9, ArcGIS Enterprise supports using SASL as a means of authenticating with Windows Active Directory or other LDAP providers using the GSS/Kerberos v5 SASL mechanism.

Use case

The SASL GSS authentication is typically used when an organization's domain controller is configured to require signing for authentication with the LDAP server. This requirement only applies when connecting to the LDAP server over ports 389 or 3268 without encryption. If LDAPS is fully supported across all domain controllers, this signing requirement is not needed.

Domain controller setting for LDAP server signing requirements

Requirements

To configure SASL authentication with ArcGIS Enterprise, a few requirements must be met.

Kerberos configuration file

A Kerberos configuration file is required to provide Portal for ArcGIS with information about the Kerberos domain controller. This information must be saved in a text file, for example, krb5.conf. A copy of the text file must be stored in a location where the Portal for ArcGIS service account can access it. Examples of this include the portal installation folder or the portal content directory. The default location for the portal content directory is /arcgis/portal/usr.

This configuration file is standard for Kerberos and should include default configuration settings and information on one or more Kerberos domain controllers for each Kerberos realm. An example configuration file is shown below.

[libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_ccache_name = KEYRING:persistent:%{uid}
    dns_lookup_kdc = true
    default_realm = EXAMPLE.COM
    default_checksum = rsa-md5

[realms]

EXAMPLE.COM = {
    kdc = domaincontroller.example.com
    admin_server = domaincontroller.example.com
}

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

New user and group store properties supported with Windows and LDAP identity store types

"saslAuthenticationScheme"—Defines the SASL authentication scheme used by Portal for ArcGIS to connect to domain controllers through LDAP. At 10.9, GSSAPI is the only supported SASL authentication scheme. Example: "saslAuthenticationScheme": "GSSAPI"
"krb5ConfigFilePath"—Defines the path to the Kerberos configuration text file described above. This must reside in a location with read access for the Portal for ArcGIS service account.
Example: "krb5ConfigFilePath": "/data/arcgis/krb5.conf"

Portal for ArcGIS identity store configurations

The SASL GSS authentication mechanism can be used with either Windows or LDAP identity store types and will work with both portal-tier and web-tier authentications. This also includes maintaining and refreshing Active Directory or LDAP group membership.

LDAP users and groups

When configuring Portal for ArcGIS to use LDAP users and groups with SASL authentication, the "saslAuthenticationScheme" and "krb5ConfigFilePath" properties both must be added and the format of the user name listed in the "user" property must be changed to username@realm. The ldapURLForUsers and ldapURLForRoles must contain the fully qualified domain name (FQDN) for the Kerberos domain controller. An IP address is not supported here. If portal-tier authentication will be used, the "usernameAttribute" should be set to "userPrincipalName" so that user names are in the correct format. Below is an example of both user and group store configurations with LDAP.

Sample user store configuration

{
  "type": "LDAP",
  "properties": {
    "ldapURLForUsers": "ldap://kdc1.example.com:389/OU=users,DC=example,DC=com",
    "saslAuthenticationScheme": "GSSAPI",
    "krb5ConfigFilePath": "/data/arcgis/krb5.conf",
    "user": "entuser@example.com",
    "userPassword": "encrypted_password",
    "isPasswordEncrypted": "true",
    "usernameAttribute": "sAMAccountName",
    "userGivenNameAttribute": "givenName",
    "userSurnameAttribute": "sn",
    "userEmailAttribute": "mail",
    "caseSensitive": "false”
  }
}

Sample group store configuration

{
  "type": "LDAP",
  "properties": {
    "ldapURLForUsers": "ldap://kdc1.example.com:389/OU=users,DC=example,DC=com",
    “ldapURLForRoles”: "ldap://kdc1.example.com:389/OU=groups,DC=example,DC=com",
    "saslAuthenticationScheme": "GSSAPI",
    "krb5ConfigFilePath": "/data/arcgis/krb5.conf",
    "user": "entuser@example.com",
    "userPassword": "encrypted_password",
    "isPasswordEncrypted": "true",
    "usernameAttribute": "sAMAccountName",
    "caseSensitive": "false”
  }
}

Other considerations

When signing in to portal with portal-tier authentication for LDAP users, the format of the user name must be username@realm, for example, testuser@example.com.

Kerberos domain controller setting

The domain controller setting for LDAP server channel binding token requirements cannot be set to Always due to Java limitations. For details, see JVM Bug 8245527. It must be set to either When supported or Never.

Feedback on this topic?