Skip To Content

Web-tier authentication

ArcGIS Server sites that are not federated with an ArcGIS Enterprise portal can be configured to have an external identity store manage users and roles. Web-tier authentication allows you to integrate your ArcGIS Server log-in experience and user management with your organization's external identity store.

You can either have your external identity store manage both users and roles in your ArcGIS Server site or have the external store only manage users, while the built-in ArcGIS Server identity store manages roles. You cannot have an external store only manage roles while the built-in store manages users.


In versions earlier than 10.8, ArcGIS Server administrators could configure custom identity stores using ASP.Net or Java. This capability has been deprecated.

Lightweight Directory Access Protocol (LDAP) directories

ArcGIS Server can use user and role information stored in an LDAP directory such as Apache Directory Server or OpenLDAP. ArcGIS Server treats the LDAP directory as a read-only source of user and role information, meaning that when an LDAP directory is configured, you cannot use ArcGIS Server Manager to add or delete users and roles or edit their attributes. If you only have an LDAP directory configured to manage users, you can use Server Manager to manage roles.

To use LDAP, you must deploy your Web Adaptor to a Javaapplication server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic. You cannot use ArcGIS Web Adaptor (IIS) to perform web-tier authentication with LDAP.

See Configure web-tier authentication with an LDAP directory for complete steps.

Public key infrastructure

If your organization has public key infrastructure (PKI)-based client certificate authentication, you can use certificates to authenticate communication with your server using the Secure Sockets Layer (SSL) protocol. When authenticating users, you can use Windows Active Directory or LDAP. To use Windows authentication, your Web Adaptor must be deployed to Microsoft Internet Information Server (IIS). To use LDAP, your Web Adaptor must be deployed to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic. You cannot enable anonymous access to your site when using client certificate authentication.


When configuring the ArcGIS Web Adaptor, you must enable administration through ArcGIS Web Adaptor. This allows users in your organization-specific identity store to publish services from ArcGIS Pro. When the users connect to the server in ArcGIS Pro, they must specify the Web Adaptor URL.