ArcGIS Server starts and stops processes, reads and writes data to locations on the file system, and communicates between machines. To do these things securely, it uses an operating system account that you specify when you install ArcGIS Server. This is known throughout the documentation as the ArcGIS Server account.
When the ArcGIS Server account is used
The ArcGIS Server account is used for the following purposes:
- Start and stop processes that support ArcGIS Server and services.
- Read the GIS data behind your services when the registered database uses operating system authentication.
- Read and write files to the ArcGIS Server directories. For example, when you create a map cache, the ArcGIS Server account writes the cache tiles into your server cache directory.
- Read and write files to the configuration store.
- Read and write files to the ArcGIS Server installation location and system temp directory. For example, the account writes log files that you can use to troubleshoot the server.
- Read and write log messages to the logs directory.
Note:
The ArcGIS Server account is not the same as the primary site administrator that you define when you create the ArcGIS Server site. For more information, see Secure your ArcGIS Server site.
Which account to designate as the ArcGIS Server account
The ArcGIS Server account defaults to the name arcgis. Accepting this default is sufficient for most nonproduction deployments; however, for production systems, it is recommended that you create a domain or Active Directory account prior to installing ArcGIS Server. If your organization's security policy requires passwords to expire, you must run the Configure service account utility to update the expired password.
You are allowed to specify a local account or a domain account. You can export the setup configuration file when you install ArcGIS Server on the first machine in your site and use the configuration file when you install ArcGIS Server on the other machines in your site. That way, you guarantee that the ArcGIS Server account is configured the same on all the machines in your site.
Domain account
A domain account allows you to access data on remote systems. A domain account is also preferable for security purposes because the account is centrally managed.
When specifying a domain account, use the format DOMAIN\username. If you do not specify the domain, the ArcGIS Server installation wizard creates a local account with the username you specified. If you specify a domain account that does not exist, the installation returns an error.
If your login settings deny login rights to the machine where ArcGIS Server is installed, you will encounter an error during the installation. It is not necessary to grant Log on locally group policy settings to the ArcGIS Server account. For more information, see Advanced considerations when using domain accounts.
Local account
If you chose a local account, the local account and password must exist on each machine in the ArcGIS Server site and be identical. You can create the local account with the same password on each machine before installing ArcGIS Server, or you can allow the ArcGIS Server installation wizard to create the local account, but be sure to use the same username and password on every machine in the site.
If you created a local account as part of the installation, the password you specify for the account must adhere to your operating system's local security policy. If the password does not meet the minimum strength requirements of your operating system, the installation returns an error.
To determine the password requirements on your local machine, open the Local Security Policy console. See the Microsoft Windows documentation for information on how to access your Local Security Policy.
Group managed service account
A group managed service account (gMSA) is a special Active Directory domain account that provides automatic password management. The account cannot be used for interactive logins and is restricted for use on only a predefined group of servers.
Using a gMSA is especially advantageous when a service account governs software on multiple machines, such as in a multiple-machine ArcGIS Server site. Because the gMSA works at the domain level, it can regularly change the service account password on each machine with no manual steps required.
The configureserviceaccount utility, which is described below, can be used to configure the ArcGIS Server service to run under a gMSA. For the username parameter, the group managed service account can be specified either with or without the $ symbol at the end. The password parameter is not needed. The readconfig and writeconfig parameters both function the same with a group managed service account.
A sample command to configure a gMSA as the ArcGIS Server account:
configureserviceaccount.bat --username mydomain\enterprise-gmsa$ --writeconfig c:\temp\domainaccountconfig.xmlUsing the Windows native Local System account to run the ArcGIS Server service
It is not recommended that you use the Windows native Local System account to run the ArcGIS Server service for the following reasons:
- The Windows LocalSystem account is highly privileged, and this has security implications. For details, see The LocalSystem Account in the Microsoft Development Center.
- The LocalSystem account is not intended for accessing network locations. To access your service and site data using the LocalSystem account, you must store the data locally.
- In a site with multiple machines, you cannot use LocalSystem as the ArcGIS Server account.
Permissions to grant to the ArcGIS Server account
The ArcGIS Server installation grants permissions to the ArcGIS Server account to perform basic functions such as starting and stopping server processes. It also gives the account read permissions to all folders in the ArcGIS Server installation directory and full control permissions to the following folders:
- <ArcGIS Server installation directory>\bin
- <ArcGIS Server installation directory>\DatabaseSupport
- <ArcGIS Server installation directory>\framework
- <ArcGIS Server installation directory>\usr
Before you create your site, you must grant the ArcGIS Server account the following permissions:
- Full control permissions to the location where your server directories will be created. Keep in mind that you must grant the ArcGIS Server account read and write permissions to any new server directories that you create after configuring your site.
- Full control permissions to the location where your configuration store will be created.
- Full control permissions to the directory that will contain ArcGIS Server logs and permission to create this folder if you have not already manually created it. This directory is C:\arcgisserver\logs by default.
- Read permissions to the directories containing the database connection files that you register with the ArcGIS Server site before publishing web services. If you use Windows authentication instead of database authentication, you must also grant the ArcGIS Server account write access.
- Read permissions to the GIS data folders that you'll register with the ArcGIS Server site before publishing web services. If you allow the publishing process to copy your data to the server (see Copy data to the server automatically when publishing), the data is placed in your server directories where the ArcGIS Server account was already granted permissions. You do not have to apply any more permissions to your original server directories.
When you create your site, the ArcGIS Server account is given permissions to read and write to the ArcGIS Server logs directory. If you create a new log location, you must manually grant the ArcGIS Server account read and write permissions to it.
The ArcGIS Server account does not need to be in the Windows Administrators group on any machine in your site.
Change the ArcGIS Server account
You don't need to rerun the ArcGIS Server installation to change the ArcGIS Server account. After you install, you can change the account by running the Configure service account utility, which is included with the software. For example, you can do this to respond to a change in security policy or when troubleshooting your server.
The utility is designed to change the RunAs account assigned to the ArcGIS Server service and give the account read permissions to all folders in the ArcGIS Server installation directory, as well as full control permissions to the following folders:
- <ArcGIS Server installation directory>\bin
- <ArcGIS Server installation directory>\DatabaseSupport
- <ArcGIS Server installation directory>\framework
- <ArcGIS Server installation directory>\usr
After using the configureserviceaccount utility to change the ArcGIS Server service being used, use operating system tools to update the following locations used by ArcGIS Server with the following permissions:
- Full control permissions on all server directories, the configuration store directory, and the ArcGIS Server log directory. Use ArcGIS Server Manager or the ArcGIS Server Administrator Directory to locate these directories.
- Read permissions to the directories containing the database connection files that you register with the ArcGIS Server site when publishing web services. If you use Windows authentication instead of database authentication, you must also grant the ArcGIS Server account write access.
- Read permissions to the GIS data folders that you register with the ArcGIS Server site before publishing web services. If you allow the publishing process to copy your data to the server, the data is placed in your server directories where the ArcGIS Server account was granted permissions, and you do not have to apply any more permissions to your original server directories.
The configureserviceaccount utility is installed in the following directory: <ArcGIS Server installation directory>\tools\ConfigUtility. This tool sets the new account to run the ArcGIS Server service and grants the required privileges on the ArcGIS Server installation directory locations used by the service.
In the following example, the configureserviceaccount utility sets the domain account to run the ArcGIS Server service, grants the account the privileges required on the ArcGIS Server installation directory folders and files, and writes a configuration file with the windows account information to your disk.
Note:
The configureserviceaccount utility must be run from a command prompt window opened using the Run as administrator option.
configureserviceaccount.bat --username mydomain\username --password difficultpsswd --writeconfig c:\temp\domainaccountconfig.xmlNote:
Changing the account under which the service runs will cause the service to restart.
The configureserviceaccount utility has the following parameters:
configureserviceaccount [--username username] [--password password] [--readconfig user-configuration-file] [--writeconfig user-configuration-file]- username— The name used for the ArcGIS Server account
- password— The password used for the ArcGIS Server account
- readconfig— An optional path to a configuration file that you have saved from a previous run of the utility
- writeconfig— An optional path where a configuration file will be saved that will allow you to apply the same properties in future runs of the utility
Specifying the locale of the ArcGIS Server account
The locale of the ArcGIS Server account is set to the locale of the Windows account specified during the installation. If no account is specified and the default is used (arcgis), the locale of the account is determined by your operating system settings. The locale is important, since all messages generated by ArcGIS Server, such as logs, are displayed in the locale of the ArcGIS Server account. To display the messages in a different language or format, change the display language for the ArcGIS Server account for each machine in your ArcGIS Server site. See the Microsoft documentation for specific instructions for the operating system version you are using.