Securing web services with Integrated Windows Authentication

This tutorial demonstrates how to secure ArcGIS web services using Integrated Windows Authentication. Integrated Windows Authentication requires users and roles to be managed in a Microsoft Windows Active Directory server. It can be a convenient approach when you want your GIS users to take advantage of the accounts they already have on your network.

You can use Integrated Windows Authentication when users have Windows domain accounts and access the services through a local network.

If your log on settings deny login rights to the machine where Active Directory is hosted, you will encounter an error when configuring security. It is not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.

NoteNote:

Integrated Windows Authentication is not supported over the Internet and requires the installation and configuration of the ArcGIS Web Adaptor (IIS). The Web Adaptor performs authentication, while ArcGIS Server authorizes access to the web services.

To secure ArcGIS web services using Integrated Windows Authentication, follow these steps:

  1. Configure the ArcGIS Web Adaptor (IIS) to use Windows authentication.
  2. Configure ArcGIS Server to use Windows Active Directory users and roles.
  3. Review users and roles.
  4. Configure Administrator and Publisher privileges for Active Directory users.
  5. Set permissions for services.
  6. Test access to secured services.

Configuring the ArcGIS Web Adaptor (IIS) to use Windows authentication

After configuring your services to utilize users and roles in a Windows Active Directory server, you need to install and configure the ArcGIS Web Adaptor (IIS) and configure IIS to use Windows authentication as the authentication method.

Steps:
  1. Install the Web Adaptor, following the instructions in Installing the ArcGIS Web Adaptor (IIS).
  2. Configure the Web Adaptor, following the instructions in Configuring the ArcGIS Web Adaptor after installation.
  3. Set the authentication method for the Web Adaptor using IIS Manager.
    1. To open IIS Manager, click Start > Control Panel > Administrative Tools > Internet Information Services Manager.
    2. Expand the left-hand tree of IIS Manager, under Sites. Expand Default Web Site to find the ArcGIS Web Adaptor (IIS) application. By default, the ArcGIS Web Adaptor (IIS) is named arcgis.
    3. Edit the authentication property for the Web Adaptor. Deselect Anonymous authentication and select Windows Authentication.
    4. Close IIS Manager.

Configuring ArcGIS Server security to use Windows Active Directory users and roles

To support Integrated Windows Authentication, configure ArcGIS Server to retrieve users and roles from a Windows Active Directory server:

Steps:
  1. Open Manager and log in as the primary site administrator or a user with administrative access. If you need help with this step, see Logging in to Manager.
  2. Click Security > Settings.
  3. Click the Edit button Edit next to Configuration Settings.
  4. On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
  5. On the Enterprise Store Type page, choose the Windows Domain option and click Next.
  6. On the Windows Domain Credentials page, enter the credentials for an account that has permissions to determine which groups users reside in. Click Next.
    NoteNote:

    It is recommended that you specify an account with a password that does not expire. If this is not possible, you'll need to repeat the steps in this section each time the password of the account is changed.

  7. On the Authentication Tier page, choose Web Tier.
  8. Review the summary of your selections. Click Finish to apply and save the security configuration.

Reviewing users and roles

After configuring a Windows Active Directory domain as the user and role store, review the users and roles to make sure they were retrieved correctly. To add, edit, or delete users and roles, you need to use the tools available on the Active Directory server.

Steps:
  1. In Manager, click Security > Users.
  2. Verify users have been retrieved as expected from the Windows domain server. If Active Directory has multiple domains, users from the domain that the GIS server machine belongs to are displayed. To view users from other domains, enter the search string [domain name]\ in the Find User field and click the Search Search button.
  3. Click Roles to review roles retrieved from the Windows domain server. If Active Directory has multiple domains, roles from the domain that the GIS server machine belongs to are displayed. To view roles from other domains, enter the search string [domain name]\ in the Find Role field and click the Search Search button.
  4. Verify the roles have been retrieved as expected.

Configure administrator and publisher privileges for Active Directory users

Out of the box, ArcGIS Server only allows the primary site administrator access to the server. If you will be using Active Directory users to administer ArcGIS Server or publish services, you will need to follow the steps below.

Steps:
  1. In ArcGIS Server Manager, click the Security tab and open the Users page.
  2. Using the Find User tool, locate the user to whom you want to assign administrator or publisher privileges. Review the roles that this user is a member of and choose the role that will be assigned administrator or publisher privileges.
  3. Open the Roles page and use the Find Role tool to locate the role chosen in the previous step.
  4. Click the Edit Edit button next to the role.
  5. For the Role Type parameter, choose either Publisher or Administrator.
  6. Click Save to apply your changes.

Setting permissions for ArcGIS web services

Once you have configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.

ArcGIS Server controls access to the GIS web services hosted on your server using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.

Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.

To set permissions for a service, see Editing permissions in Manager.

NoteNote:

When browsing ArcGIS Server Manager using Integrated Windows Authentication, the Sign Out link is no longer visible. This is because the user running the web browser is logged in automatically by the operating system. To run the browser as another user, you can use the Windows Run as command option. To do this, locate the program shortcut on the Start menu, hold down the Shift key, right click the program, and select Run as different user.

Testing access to secured services

To test your setup, identify a Windows domain user account that has access to the root (site) folder containing your services. Log in to Windows using this user account, open a web browser, and access your ArcGIS Server WSDL:

http://webadaptor.domain.com/arcgis/services?wsdl

Similarly, you may also view the Services Directory to verify access to secured services:

http://webadaptor.domain.com/arcgis/rest/services

NoteNote:

When browsing the Services Directory using Integrated Windows Authentication, the Logout link is no longer visible. This is because the user running the web browser is logged in automatically by the operating system. To run the browser as another user, you can use the Windows Run as command option. To do this, locate the program shortcut on the Start menu, hold down the Shift key, right click the program, and select Run as different user.

To determine which Windows domain users have access to the root folder, do the following:

Steps:
  1. Log in to Manager and click Services.
  2. Click the Lock button Lock next to the site (root) folder and identify roles that have been given permission to access this folder. If no roles currently have access, grant access to at least one role by clicking Add Role Add Role.
  3. Click Security > Roles and click the Edit Edit button for the role that has access to the root folder.
  4. View the list of users that are members of this role.
Copyright © 1995-2014 Esri. All rights reserved.
12/18/2014