Configuring ArcGIS Server security

You can use Manager to configure the settings for ArcGIS Server security. The security settings define how users and roles are managed and how users are authenticated. To configure ArcGIS Server security, you must be logged in to manager as the primary site administrator or a user with administrative access. If the primary site administrator account has been disabled, you're required to re-enable the primary site administrator before you can change ArcGIS Server security.

Three options are available in Manager to configure how users and roles are managed:

For information on how to manage users and roles in a custom identity store, see Setting up a custom identity store using Java.

Two options are available in Manager to specify how users are authenticated when accessing GIS web services:

Managing ArcGIS Server users and roles

Users and roles from ArcGIS Server's built-in store

Out of the box, ArcGIS Server security is enforced with users and roles from the built-in store. When this option is selected, user and role information is persisted in a file-based format in the configuration store. Users and roles in the built-in store can only be accessed and managed by ArcGIS Server. As a result, when security is configured to use the built-in store, users are authenticated using ArcGIS token-based authentication.

Users and roles from an existing enterprise system

ArcGIS Server has the ability to enforce security with users and roles managed in an external Microsoft Active Directory or LDAP server. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view users and roles from the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users and roles. Additionally, user authentication may be done by either the ArcGIS Server or the web server.

If your log on settings deny login rights to the machine where Active Directory is hosted, you will encounter an error when configuring security. It is not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.

Users from an existing enterprise system and roles from ArcGIS Server's built-in store

ArcGIS Server can be configured to enforce security with users managed in an external Microsoft Active Directory or LDAP server and roles managed in the ArcGIS Server built-in store. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view the users in the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users. You can add, edit and delete roles in the built-in store using Manager. When using Active Directory or LDAP as your user store, user authentication may be done by either the ArcGIS Server or the web server.

ArcGIS Server allows you to choose how users are authenticated when accessing secured ArcGIS web services.

ArcGIS Server authentication

When authentication is done at the GIS server tier, users are authenticated using Esri's proprietary ArcGIS token-based authentication mechanism. For information on how ArcGIS token-based authentication works, see About ArcGIS tokens. ArcGIS Server authentication is the most common method used when the GIS web services are primarily consumed by clients built using the ArcGIS Server web APIs.

Web server authentication

When authentication is done by the web server, you can leverage the standard authentication mechanisms provided by your web server such as HTTP digest, PKI client certification authentication, etc. As opposed to token authentication, these mechanisms are recognized by third-party clients to ArcGIS services. Web server authentication is commonly used when building web applications that use single sign-on.

Web server authentication requires installing the ArcGIS Web Adaptor on your web server. When web server authentication is configured, ArcGIS Server delegates authentication to the Web Adaptor. Once a user is successfully authenticated, the ArcGIS Web Adaptor encrypts and appends the user information to the request and forwards it to ArcGIS Server. ArcGIS Server receives and decrypts the user information to verify that the user has the authorization to access the requested GIS web service.

You must install the Web Adaptor on your web server before configuring web server authentication in Manager. For more information about the Web Adaptor and instructions on how to install it on your web server, see About the ArcGIS Web Adaptor.

Securing ArcGIS Server using Integrated Windows Authentication

Supported identity store configurations

Authentication mechanism

Supported identity store configurations

ArcGIS Server authentication

  • Built-in users and roles
  • Active Directory users and roles in Active Directory or the built-in store
  • LDAP users and roles in LDAP or the built-in store
  • Users in a custom store and roles in the custom or the built-in store

Web server authentication

Any identity store for which the web server has built in or extensible support

12/18/2014