Securing web services with Integrated Windows Authentication

This tutorial demonstrates how to secure ArcGIS web services using Integrated Windows Authentication. This requires users and roles to be managed in a Microsoft Windows Active Directory server. It can be a convenient approach when you want your GIS users to take advantage of Windows domain accounts they already have on your network.

To use Integrated Windows Authentication, you must use ArcGIS Web Adaptor (IIS) deployed to Microsoft's IIS web server. You cannot use ArcGIS Web Adaptor (Java Platform) to perform Integrated Windows Authentication.

If your log on settings deny login rights to the machine where Active Directory is hosted, you will encounter an error when configuring security. It is not necessary to grant Log on locally group policy settings to the user. For more information, see Advanced considerations when using domain accounts.

To secure ArcGIS web services using Integrated Windows Authentication, follow these steps:

  1. Configure ArcGIS Web Adaptor (IIS) to use Windows authentication.
  2. Configure ArcGIS Server to use Windows Active Directory users and roles.
  3. Review users and roles.
  4. Configure Administrator and Publisher privileges for Active Directory users.
  5. Set permissions for services.
  6. Test access to secured services.

Configure ArcGIS Web Adaptor (IIS) to use Windows authentication

Integrated Windows Authentication requires web-tier authentication and this must be done with ArcGIS Web Adaptor (IIS). The Web Adaptor relies on IIS to authenticate the user and provide the Web Adaptor with the account name of the user. Once it has the account name, it passes that to ArcGIS Server.

Steps:
  1. Install the Web Adaptor, following the instructions in Installing the ArcGIS Web Adaptor (IIS).
  2. Configure the Web Adaptor, following the instructions in Configuring the ArcGIS Web Adaptor after installation.
    NoteNote:

    When configuring the Web Adaptor, you must enable administration through the Web Adaptor. This allows users in Windows Active Directory to publish services from ArcGIS for Desktop. When the users in these roles connect to the server in ArcGIS for Desktop, they must specify the Web Adaptor URL.

  3. Set the authentication method for the Web Adaptor using IIS Manager.
    1. To open IIS Manager, click Start > Control Panel > Administrative Tools > Internet Information Services Manager.
    2. Expand the left-hand tree of IIS Manager, under Sites. Expand Default Web Site to find the ArcGIS Web Adaptor (IIS) application. By default, the ArcGIS Web Adaptor (IIS) is named arcgis.
    3. Edit the authentication property for the Web Adaptor. Deselect Anonymous authentication and select Windows Authentication.
    4. Close IIS Manager.

Configure ArcGIS Server security to use Windows Active Directory users and roles

To support Integrated Windows Authentication, configure ArcGIS Server to retrieve users and roles from a Windows Active Directory server:

Steps:
  1. Open Manager and log in as the primary site administrator. You must use the primary site administrator account. If you need help with this step, see Logging in to Manager.
  2. Click Security > Settings.
  3. Click the Edit button Edit next to Configuration Settings.
  4. On the User and Role Management page, choose the Users and roles in an existing enterprise system (LDAP or Windows Domain) option and click Next.
  5. On the Enterprise Store Type page, choose the Windows Domain option and click Next.
  6. On the Windows Domain Credentials page, enter the credentials for an account that has permissions to determine which groups users reside in. Click Next.
    NoteNote:

    It is recommended that you specify an account with a password that does not expire. If this is not possible, you'll need to repeat the steps in this section each time the password of the account is changed.

  7. On the Authentication Tier page, choose Web Tier.
  8. Review the summary of your selections. Click Finish to apply and save the security configuration.

Review users and roles

After configuring a Windows Active Directory domain as the user and role store, review the users and roles to make sure they were retrieved correctly. To add, edit, or delete users and roles, you need to use the tools available on the Active Directory server.

Steps:
  1. In Manager, click Security > Users.
  2. Verify users have been retrieved as expected from the Windows domain server. If Active Directory has multiple domains, users from the domain that the GIS server machine belongs to are displayed. To view users from other domains, enter the search string [domain name]\ in the Find User field and click the Search Search button.
  3. Click Roles to review roles retrieved from the Windows domain server. If Active Directory has multiple domains, roles from the domain that the GIS server machine belongs to are displayed. To view roles from other domains, enter the search string [domain name]\ in the Find Role field and click the Search Search button.
  4. Verify the roles have been retrieved as expected.

Configure administrator and publisher privileges for Active Directory users

Out of the box, ArcGIS Server only allows the primary site administrator access to the server. If you will be using Active Directory users to administer ArcGIS Server or publish services, you will need to follow the steps below.

Steps:
  1. In ArcGIS Server Manager, click the Security tab and open the Users page.
  2. Using the Find User tool, locate the user to whom you want to assign administrator or publisher privileges. Review the roles that this user is a member of and choose the role that will be assigned administrator or publisher privileges.
  3. Open the Roles page and use the Find Role tool to locate the role chosen in the previous step.
  4. Click the Edit Edit button next to the role.
  5. For the Role Type parameter, choose either Publisher or Administrator.
  6. Click Save to apply your changes.

Set permissions for ArcGIS web services

Once you have configured your security settings and defined users and roles, you can set permissions for services to control who is allowed to access them.

ArcGIS Server controls access to the GIS web services hosted on your server using a role-based access control model. In a role-based access control model, the permission to access a secured service is controlled by assigning roles to that service. To consume a secured service, a user must be a member of a role that has been assigned permissions to access it.

Permissions may be assigned to an individual web service or to the parent folder containing a group of services. If you assign permissions to a folder, any service contained within inherits the folder's permissions. For example, if you grant a role access to the site (root) folder, users belonging to that role will be granted access to all the services hosted on that site. Also, to override permissions automatically inherited by a service from its parent folder, you can edit the service and explicitly remove the permissions that were inherited.

To set permissions for a service, see Editing permissions in Manager.

NoteNote:

When browsing ArcGIS Server Manager using Integrated Windows Authentication, the Sign Out link is no longer visible. This is because the user running the web browser is logged in automatically by the operating system. To run the browser as another user, you can use the Windows Run as command option. To do this, locate the program shortcut on the Start menu, hold down the Shift key, right click the program, and select Run as different user.

Test access to secured services

To test your setup, identify a Windows domain user account that has access to the root (site) folder containing your services. Log in to Windows using this user account, open a web browser, and access your ArcGIS Server WSDL:

http://webadaptor.domain.com/arcgis/services?wsdl

Similarly, you may also view the Services Directory to verify access to secured services:

http://webadaptor.domain.com/arcgis/rest/services

NoteNote:

When browsing the Services Directory using Integrated Windows Authentication, the Logout link is no longer visible. This is because the user running the web browser is logged in automatically by the operating system. To run the browser as another user, you can use the Windows Run as command option. To do this, locate the program shortcut on the Start menu, hold down the Shift key, right click the program, and select Run as different user.

To determine which Windows domain users have access to the root folder, do the following:

Steps:
  1. Log in to Manager and click Services.
  2. Click the Lock button Lock next to the site (root) folder and identify roles that have been given permission to access this folder. If no roles currently have access, grant access to at least one role by clicking Add Role Add Role.
  3. Click Security > Roles and click the Edit Edit button for the role that has access to the root folder.
  4. View the list of users that are members of this role.
9/1/2015