Configuring ArcGIS Server security

Users and roles from ArcGIS Server's built-in store

Out of the box, ArcGIS Server security is enforced with users and roles from the built-in store. When this option is selected, user and role information is persisted in a file-based format in the configuration store. Users and roles in the built-in store can only be accessed and managed by ArcGIS Server. As a result, when security is configured to use the built-in store, users are authenticated using ArcGIS token-based authentication.

Users and roles from an existing enterprise system

ArcGIS Server has the ability to enforce security with users and roles managed in an external Microsoft Active Directory or LDAP server. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view users and roles from the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users and roles. Additionally, user authentication may be done by either the ArcGIS Server or the web server.

If your log on settings deny login rights to the machine where Active Directory is hosted, you will encounter an error when configuring security. It is not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.

Users from an existing enterprise system and roles from ArcGIS Server's built-in store

ArcGIS Server can be configured to enforce security with users managed in an external Microsoft Active Directory or LDAP server and roles managed in the ArcGIS Server built-in store. ArcGIS Server uses the Active Directory or LDAP server as a read-only store. You can view the users in the Active Directory or LDAP server in Manager, but you cannot add, edit, or delete users. You can add, edit and delete roles in the built-in store using Manager. When using Active Directory or LDAP as your user store, user authentication may be done by either the ArcGIS Server or the web server.

ArcGIS Server authentication

When authentication is done at the GIS server tier, users are authenticated using Esri's proprietary ArcGIS token-based authentication mechanism. For information on how ArcGIS token-based authentication works, see About ArcGIS tokens. ArcGIS Server authentication is the most common method used when the GIS web services are primarily consumed by clients built using the ArcGIS Server web APIs.

Web server authentication

When authentication is done by the web server, you can leverage the standard authentication mechanisms provided by your web server such as HTTP digest, PKI client certification authentication, etc. As opposed to token authentication, these mechanisms are recognized by third-party clients to ArcGIS services. Web server authentication is commonly used when building web applications that use single sign-on.

Web server authentication requires installing the ArcGIS Web Adaptor on your web server. When web server authentication is configured, ArcGIS Server delegates authentication to the Web Adaptor. Once a user is successfully authenticated, the ArcGIS Web Adaptor encrypts and appends the user information to the request and forwards it to ArcGIS Server. ArcGIS Server receives and decrypts the user information to verify that the user has the authorization to access the requested GIS web service.

You must install the Web Adaptor on your web server before configuring web server authentication in Manager. For more information about the Web Adaptor and instructions on how to install it on your web server, see About the ArcGIS Web Adaptor.

Securing ArcGIS Server using Integrated Windows Authentication

Supported identity store configurations