Using Windows Active Directory and PKI to secure access to your portal

You can use a public key infrastructure (PKI) to secure access to your portal when user accounts are managed by Windows Active Directory.

The following sections explain setting up Portal for ArcGIS and ArcGIS Web Adaptor (IIS) to use a PKI. You must complete all the steps and in the order presented here. If you need assistance configuring other web servers to use PKI with ArcGIS Web Adaptor, contact Esri Professional Services.

These steps assume you have already installed ArcGIS Web Adaptor (IIS) and Portal for ArcGIS and registered your portal with the Web Adaptor.

LegacyLegacy:

Legacy: In 10.2, you were required to edit a properties file on disk to configure security for your portal. This is no longer required at 10.2.1 and later versions. The following instructions only apply to 10.2.1 and later versions. For help with these instructions at 10.2, see the 10.2 documentation.

Configuring Portal for ArcGIS to use Windows Active Directory users

First, configure your portal to use SSL exclusively. This is set on the Security page in the portal website.

Steps:
  1. Sign in to the portal website as the portal administrator.
  2. Click Edit Settings on the My Organization page.
  3. Click Security.
  4. Check Allow access to the portal through SSL only.
  5. Click Save to apply your changes.
NoteNote:

If you'll be adding an ArcGIS Server site to your portal and want to use web-tier authentication with the site, you'll need to disable web-tier authentication (basic or digest) and enable anonymous access on the ArcGIS Web Adaptor configured with your site before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.

Next, update your portal's identity store to use Windows Active Directory accounts.

Steps:
  1. Log in to the Portal Directory with an account that has administrator privileges. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
  2. Click Security > Config > Update Identity Store.
  3. Place the Windows Active Directory configuration JSON in the User store configuration (in JSON format) text box.

    You can copy the following text and alter it to contain the information specific to your site:

    {
  "type": "WINDOWS",
  "properties": {
    "userPassword": "secret",
    "isPasswordEncrypted": "false",
    "user": "mydomain\\winaccount",
    "userFullnameAttribute": "cn",
    "userEmailAttribute": "mail",
    "caseSensitive": "false"
  }
}

    In most cases, you will only need to alter values for the user and userPassword parameters. Although you type the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed. The account you use for the user parameter only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, use an account whose password does not expire.

  4. When you have finished entering the JSON for the user store configuration, click Update Configuration to save your changes.

Install and enable Active Directory Client Certificate Mapping Authentication

You must install and enable Active Directory Client Certificate Mapping Authentication in IIS.

Install Client Certificate Mapping Authentication

Active Directory Client Certificate Mapping is not available on the default installation of IIS. The instructions for installing the feature vary according to your operating system.

Windows Server 2008/R2, and 2012/R2

Steps:
  1. Open Administrative Tools and click Server Manager.
  2. In the Server Manager hierarchy pane, expand Roles and click Web Server (IIS).
  3. Scroll to the Role Services section and click Add Role Services.
  4. On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication and click Next.
  5. Click Install.

Windows 7, 8, and 8.1

Steps:
  1. Open Control Panel and click Programs and Features > Turn Windows Features on or off.
  2. Expand Internet Information Services > World Wide Web Services > Security and select Client Certificate Mapping Authentication.
  3. Click OK.

Enable Active Directory Client Certificate Mapping Authentication

Active Directory Client Certificate Mapping is not enabled automatically after installing the feature on Windows. You'll need to enable it in IIS using the steps below.

Steps:
  1. Start Internet Information Services (IIS) Manager.
  2. In the Connections node, click the name of your web server.
  3. Double-click Authentication in the Features View window.
  4. Verify that Active Directory Client Certificate Authentication is displayed. If the feature is not displayed or unavailable, you may need to restart your web server to complete the installation of the Active Directory Client Certificate Authentication feature.
  5. Double-click Active Directory Client Certificate Authentication and select Enable in the Actions window.

A message displays indicating that SSL must be enabled to use Active Directory Client Certificate Authentication. You'll address this in the next section.

Configure the Web Adaptor to require SSL

Alter authentication and SSL settings for your Web Adaptor.

Steps:
  1. Start Internet Information Services (IIS) Manager.
  2. Expand the Connections node and select your Web Adaptor site.
  3. Double-click Authentication in the Features View window.
  4. Disable all forms of authentication.
  5. Select your Web Adaptor from the Connections list again.
  6. Double-click SSL Settings.
  7. Enable the Require SSL option, and choose the Require option under Client certificates.
  8. Click Apply to save your changes.

Designate an Active Directory account as an administrator

How you add an Active Directory account to your portal will depend on whether your portal is configured to add accounts to the portal automatically when people sign in using an enterprise login or if accounts must be added from the ArcGIS Portal Directory. For information on this setting, see Configuring account creation.

If you manually register accounts for enterprise users

If your portal is configured so that you must add accounts using the CreateUsers tool, follow the instructions in Adding members to your portal to add the Active Directory account as your portal administrator. Be sure to choose the Administrator role when registering the enterprise account.

If accounts are automatically registered for enterprise users

If your portal is configured to add enterprise accounts automatically, open the portal website home page while logged in with the Active Directory account you want to use as the portal administrator. Depending on your browser and settings, you may be prompted to sign in.

When an account is first added to the portal automatically, it is assigned the User role. Only an administrator can change the role on an account; therefore, you must log in to the portal using the initial administrator account and assign the Active Directory account to the Administrator role. Since your Web Adaptor is set for Windows authentication, you must connect to the portal through port 7443 rather than the Web Adaptor to sign in using the initial administrator account.

Steps:
  1. Connect to the portal while logged in with the enterprise account you want to make an administrator. If this account belongs to someone else, have that user connect to the portal so their account will be registered with the portal.
  2. Once the account has been added to the portal, open a browser and connect to your portal through port 7443, for example, https://portal.domain.com:7443/arcgis/home.
  3. Sign in using the initial administrator account you created when you set up Portal for ArcGIS.
  4. Find the Active Directory account you will use to administer your portal and change the role to Administrator. The account will appear in the format username@domain.
  5. Sign out of the website.

Now when you are logged in to your computer with this Active Directory account, you can connect to your portal through the Web Adaptor and administer the portal.

Demote or delete the initial administrator account

Now that you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

Prevent users from creating their own accounts

After you've secured access to your portal, you can disable the Create an account button and sign-up page (signup.html) in the portal website so that people cannot create their own accounts. This means all members sign in to the portal with their enterprise credentials, and unnecessary member accounts cannot be created.

Follow these steps to prevent users from creating their own accounts:

Steps:
  1. Browse to <Portal for ArcGIS installation directory>\customizations\10.2.2\webapps\arcgis#home\js\esri\arcgisonline and open config.js in a text editor.
  2. Locate the showSignUp property and specify the value as false.
  3. Save and close the file.
  4. To apply your edits, restart your portal.
  5. After the portal restarts, clear your browser's cache (including cookies) to see the changes in the portal website.
Copyright © 1995-2015 Esri. All rights reserved.
5/5/2015