Configuring ArcGIS Server security
You can use Manager to configure the settings for ArcGIS Server security. The security settings define how users and roles are managed and how users are authenticated. To configure ArcGIS Server security, you must be logged in to manager as the primary site administrator or a user with administrative access. If the primary site administrator account has been disabled, you're required to re-enable the primary site administrator before you can change ArcGIS Server security.
Three options are available in Manager to configure how users and roles are managed:
- Users and roles from ArcGIS Server's built-in store
- Users and roles from an existing enterprise system
- Users from an existing enterprise system and roles from ArcGIS Server's built-in store
For information on how to manage users and roles in a custom identity store, see Setting up a custom identity store using Java.
Two options are available in Manager to specify how users are authenticated when accessing GIS web services:
Managing ArcGIS Server users and roles
Users and roles from ArcGIS Server's built-in store
Out of the box, ArcGIS Server security is enforced with users and roles from the built-in store. When this option is selected, user and role information is persisted in a file-based format in the configuration store. Users and roles in the built-in store can only be accessed and managed by ArcGIS Server. As a result, when security is configured to use the built-in store, users are authenticated using ArcGIS token-based authentication.
Users and roles from an existing enterprise system
ArcGIS Server has the ability to enforce security with users and roles managed in an external Microsoft Active Directory or LDAP server. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view users and roles from the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users and roles. Additionally, user authentication may be done by either the ArcGIS Server or the web server.
If your log on settings deny login rights to the machine where Active Directory is hosted, you will encounter an error when configuring security. It is not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.
Users from an existing enterprise system and roles from ArcGIS Server's built-in store
ArcGIS Server can be configured to enforce security with users managed in an external Microsoft Active Directory or LDAP server and roles managed in the ArcGIS Server built-in store. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view the users in the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users. You can add, edit and delete roles in the built-in store using Manager. When using Active Directory or LDAP as your user store, user authentication may be done by either the ArcGIS Server or the web server.
ArcGIS Server allows you to choose how users are authenticated when accessing secured ArcGIS web services.
ArcGIS Server authentication
When authentication is done at the GIS server tier, users are authenticated using Esri's proprietary ArcGIS token-based authentication mechanism. For information on how ArcGIS token-based authentication works, see About ArcGIS tokens. ArcGIS Server authentication is the most common method used when the GIS web services are primarily consumed by clients built using the ArcGIS Server web APIs.
Web server authentication
When authentication is done by the web server, you can leverage the standard authentication mechanisms provided by your web server such as HTTP digest, PKI client certification authentication, etc. As opposed to token authentication, these mechanisms are recognized by third-party clients to ArcGIS services. Web server authentication is commonly used when building web applications that use single sign-on.
Web server authentication requires installing the ArcGIS Web Adaptor on your web server. When web server authentication is configured, ArcGIS Server delegates authentication to the Web Adaptor. Once a user is successfully authenticated, the ArcGIS Web Adaptor encrypts and appends the user information to the request and forwards it to ArcGIS Server. ArcGIS Server receives and decrypts the user information to verify that the user has the authorization to access the requested GIS web service.
You must install the Web Adaptor on your web server before configuring web server authentication in Manager. For more information about the Web Adaptor and instructions on how to install it on your web server, see About the ArcGIS Web Adaptor.
Securing ArcGIS Server using Integrated Windows Authentication
Supported identity store configurations
Authentication mechanism | Supported identity store configurations |
---|---|
ArcGIS Server authentication |
|
Web server authentication | Any identity store for which the web server has built in or extensible support |