When using Windows Active Directory to authenticate users, you can use a public key infrastructure (PKI) to secure access to ArcGIS Server.
To use Integrated Windows Authentication and PKI, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication. If you haven't done so already, install and configure ArcGIS Web Adaptor (IIS) with your ArcGIS Server site.
Note:
If you'll be adding your ArcGIS Server site to a portal and want to use Windows Active Directory and PKI with the server, you'll need to disable PKI-based client certificate authentication on your ArcGIS Server site and enable anonymous access before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using PKI-based client certificate authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.
Configure your server with Windows Active Directory
Configure ArcGIS Server security to use Windows Active Directory users and roles
To support Integrated Windows Authentication, configure ArcGIS Server to retrieve users and roles from a Windows Active Directory server.
- Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Logging in to Manager.
- Click Security > Settings.
- Click the Edit button
next to Configuration Settings. - On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
- On the Enterprise Store Type page, choose the Windows Domain option and click Next.
- On the Windows Domain Credentials page, provide the credentials for an account that has permissions to determine which groups users reside in. Click Next.
Note:
It is recommended that you specify an account with a password that does not expire. If this is not possible, you'll need to repeat the steps in this section each time the password of the account is changed.
- On the Authentication Tier page, choose Web Tier.
- Review the summary of your selections. Click Finish to apply and save the security configuration.
Review users and roles
After configuring a Windows Active Directory domain as the user and role store, review the users and roles to make sure they were retrieved correctly. To add, edit, or delete users and roles, you need to use the tools available on the Active Directory server.
- In Manager, click Security > Users.
- Verify users have been retrieved as expected from the Windows domain server. If Active Directory has multiple domains, users from the domain that the GIS server machine belongs to are displayed. To view users from other domains, provide the search string [domain name]\ in the Find User field and click the Search button
. - Click Roles to review roles retrieved from the Windows domain server. If Active Directory has multiple domains, roles from the domain that the GIS server machine belongs to are displayed. To view roles from other domains, provide the search string [domain name]\ in the Find Role field and click the Search button .
- Verify the roles have been retrieved as expected.
Configure administrator and publisher privileges for Active Directory users
Out of the box, ArcGIS Server only allows the primary site administrator access to the server. If you'll be using Active Directory users to administer ArcGIS Server or publish services, you need to follow the steps below.
- In ArcGIS Server Manager, click the Security tab and open the Users page.
- Using the Find User tool, locate the user to whom you want to assign administrator or publisher privileges. Review the roles that this user is a member of and choose the role that will be assigned administrator or publisher privileges.
- Open the Roles page and use the Find Role tool to locate the role chosen in the previous step.
- Click the Edit button next to the role.
- For the Role Type parameter, choose either Publisher or Administrator.
- Click Save to apply your changes.
Install and enable Active Directory Client Certificate Mapping Authentication
Active Directory Client Certificate Mapping is not available in the default installation of IIS. You must install and enable the feature.
Install Client Certificate Mapping Authentication
The instructions for installing the feature vary according to your operating system.
Windows Server 2008/R2 and 2012/R2
- Open Administrative Tools and click Server Manager.
- In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
- Scroll to the Role Services section and click Add Role Services.
- On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication and click Next.
- Click Install.
Windows 7, 8, and 8.1
- Open Control Panel and click Programs and Features > Turn Windows Features on or off.
- Expand Internet Information Services > World Wide Web Services > Security and select Client Certificate Mapping Authentication.
- Click OK.
Enable Active Directory Client Certificate Mapping Authentication
After you install Active Directory Client Certificate Mapping, enable the feature by following the steps below.
- Start Internet Information Services (IIS) Manager.
- In the Connections node, click the name of your web server.
- Double-click Authentication in the Features View window.
- Verify that Active Directory Client Certificate Authentication is displayed. If the feature is not displayed or unavailable, you may need to restart your web server to complete the installation of the Active Directory Client Certificate Authentication feature.
- Double-click Active Directory Client Certificate Authentication and choose Enable in the Actions window.
A message displays indicating that SSL must be enabled to use Active Directory Client Certificate Authentication. You'll address this in the next section.
Configure ArcGIS Web Adaptor to require SSL and client certificates
- Start Internet Information Services (IIS) Manager.
- Expand the Connections node and select your Web Adaptor site.
- Double-click Authentication in the Features View window.
- Disable all forms of authentication.
- Select your ArcGIS Web Adaptor from the Connections list again.
- Double-click SSL Settings.
- Enable the Require SSL option, and choose the Require option under Client certificates.
- Click Apply to save your changes.
Verify you can access the site using Windows Active Directory and PKI
- Open the services directory. The URL is in the format https://webadaptorhost.domain.com/webadaptorname/rest/services.
- Verify that you are prompted for your security credentials and can access the website.