Securing web services with Integrated Windows Authentication
This tutorial demonstrates how to secure ArcGIS web services using Integrated Windows Authentication. Integrated Windows Authentication requires users and roles to be managed in a Microsoft Windows Active Directory server. It can be a convenient approach when you want your GIS users to take advantage of the accounts they already have on your network.
You can use Integrated Windows Authentication when users have Windows domain accounts and access the services through a local network.
If your log on settings deny login rights to the machine where Active Directory is hosted, you will encounter an error when configuring security. It is not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.
Integrated Windows Authentication is not supported over the Internet and requires the installation and configuration of the ArcGIS Web Adaptor (IIS). For information, see About the ArcGIS Web Adaptor. The Web Adaptor performs authentication, while ArcGIS Server authorizes access to the web services.
To secure ArcGIS web services using Integrated Windows Authentication, follow these steps:
- Configure the ArcGIS Web Adaptor (IIS) to use Windows authentication.
- Configure ArcGIS Server to use Windows Active Directory users and roles.
- Review users and roles.
- Set permissions for services.
- Test access to secured services.
Configuring the ArcGIS Web Adaptor (IIS) to use Windows authentication
After configuring your services to utilize users and roles in a Windows Active Directory server, you need to install and configure the ArcGIS Web Adaptor (IIS) and configure IIS to use Windows authentication as the authentication method.
- Install the Web Adaptor, following the instructions in Installing the ArcGIS Web Adaptor (IIS).
- Configure the Web Adaptor, following the instructions in Configuring the Web Adaptor after installation.
- Set the authentication method for the Web Adaptor using IIS Manager.
- To open IIS Manager, click Start > Control Panel > Administrative Tools > Internet Information Services Manager.
- Expand the left-hand tree of IIS Manager, under Sites. Expand Default Web Site to find the ArcGIS Web Adaptor (IIS) application. By default, the ArcGIS Web Adaptor (IIS) is named arcgis.
- Edit the authentication property for the Web Adaptor. Deselect Anonymous authentication and select Windows Authentication.
- Close IIS Manager.
Configuring ArcGIS Server security to use Windows Active Directory users and roles
To support Integrated Windows Authentication, configure ArcGIS Server to retrieve users and roles from a Windows Active Directory server:
- Open Manager and log in as the primary site administrator or a user with administrative access. If you need help with this step, see Logging in to Manager.
- Click Security > Settings.
- Click the Edit button next to Configuration Settings.
- On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
- On the Enterprise Store Type page, choose the Windows Domain option and click Next.
- On the Windows Domain Credentials page, enter the credentials for a user account with read access to the domain, then click Next.
- On the Authentication Tier page, choose Web Tier.
- Review the summary of your selections. Click Finish to apply and save the security configuration.
Reviewing users and roles
After configuring a Windows Active Directory domain as the user and role store, review the users and roles to make sure they were retrieved correctly. To add, edit, or delete users and roles, you need to use the tools available on the Active Directory server.
- In Manager, click Security > Users.
- Verify users have been retrieved as expected from the Windows domain server.
- Click Roles to review roles retrieved from the Windows domain server.
- Verify roles have been retrieved as expected. Click the Edit button next to a role to check role membership. Modify the Role Type value as necessary. For information on role types, see How ArcGIS Server security works.
Setting permissions for ArcGIS web services
Once you have configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.
ArcGIS Server controls access to the GIS web services hosted on your server using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.
Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.
To set permissions for a service, see Editing permissions in Manager.
Testing access to secured services
To test your setup, identify a Windows domain user account that has access to the root (site) folder containing your services. Log in to Windows using this user account, open a web browser, and access your ArcGIS Server WSDL:
http://<webadaptor host>/arcgis/services?wsdl
To determine which Windows domain users have access to the root folder, do the following:
- Log in to ArcGIS Server Manager and click Services.
- Click the Lock button next to the site (root) folder and identify roles that have been given permission to access this folder. If no roles currently have access, grant access to at least one role by clicking Add Role .
- Click Security > Roles and click the Edit button for the role that has access to the root folder.
- View the list of users that are members of this role.