ArcGIS Server sites that are not federated with an ArcGIS Enterprise portal can be configured to have an external identity store manage users and roles. Web-tier authentication allows you to integrate your ArcGIS Server log-in experience and user management with your organization's external identity store.
You can either choose to have your external identity store manage both users and roles in your ArcGIS Server site, or have the external store only manage users while the built-in ArcGIS Serveridentity store manages roles. You cannot have an external store only manage roles while the built-in store manages users.
In versions earlier than 10.8, ArcGIS Server administrators could configure custom identity stores using ASP.Net or Java. This capability has been deprecated.
Lightweight Directory Access Protocol (LDAP) directories
ArcGIS Server can leverage user and role information stored in an LDAP directory such as Apache Directory Server or OpenLDAP. ArcGIS Server treats the LDAP directory as a read-only source of user and role information, meaning that when an LDAP directory is configured, you cannot use ArcGIS Server Manager to add or delete users and roles or edit their attributes. If you only have your LDAP directory configured to manage users, you can use ArcGIS Server Manager to manage roles.
To use LDAP, you must deploy your Web Adaptor to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic. You cannot use the IIS version of ArcGIS Web Adaptor to perform web-tier authentication with LDAP.
See Configure web-tier authentication with an LDAP directory for complete steps.
Public key infrastructure
If your organization has PKI, you can use certificates to authenticate communication with your server using the Secure Sockets Layer (SSL) protocol. When authenticating users, you have the option to use Windows Active Directory or Lightweight Directory Access Protocol (LDAP). To use Windows authentication, your Web Adaptor must be deployed to Microsoft's IIS web server. To use LDAP, your Web Adaptor must be deployed to a Java application server such as Apache Tomcat, IBM WebSphere, or Oracle WebLogic. It is not possible to enable anonymous access to your site when using PKI.
When configuring the Web Adaptor, you must enable administration through the Web Adaptor. This allows users in your organization-specific identity store to publish services from ArcMap. When the users in these roles connect to the server in ArcMap, they must specify the Web Adaptor URL.