Using Integrated Windows Authentication with your portal
You can secure access to your portal using Integrated Windows Authentication (IWA). When you use IWA, logins are managed through Microsoft Windows Active Directory. Users do not sign in and out of the portal website; instead, when they open the website they are signed in using the same accounts they used to log in to Windows.
There are three principal steps that must be completed to configure IWA with your portal, and they should be completed in the following order:
- Configure Portal for ArcGIS to use Windows Active Directory users
- Configure ArcGIS Web Adaptor to use Windows authentication
- Designate a Windows account as an administrator
Legacy: In 10.2, you were required to edit a properties file on disk to configure security for your portal. This is no longer required at 10.2.1 and later versions. The following instructions only apply to 10.2.1 and later versions. For help with these instructions at 10.2, see the 10.2 documentation.
Configuring Portal for ArcGIS to use Windows Active Directory users
First, configure your portal to use SSL exclusively. This is set on the Security page in the portal website.
- Sign in to the portal website as the portal administrator.
- Click Edit Settings on the My Organization page.
- Click Security.
- Check Allow access to the portal through SSL only.
- Click Save to apply your changes.
Next, update your portal's identity store to use Windows Active Directory accounts.
- Log in to the Portal Directory with an account that has administrator privileges. The URL is in the format https://webadaptor.domain.com/arcgis/portaladmin.
- Click Security > Config > Update Identity Store.
- Place the IWA configuration JSON in the User store configuration (in JSON format) text box.
You can copy the following text and alter it to contain the information specific to your site:
{ "type": "WINDOWS", "properties": { "userPassword": "secret", "isPasswordEncrypted": "false", "user": "mydomain\\winaccount", "userFullnameAttribute": "cn", "userEmailAttribute": "mail", "caseSensitive": "false" } }
In most cases, you will only need to alter values for the user and userPassword parameters. Although you type the password in clear text, it will be encrypted when stored in the portal's configuration directory or viewed. The account you use for the user parameter only needs permissions to look up the email address and full name of Windows accounts on the network. If possible, use an account whose password does not expire.
In the rare case where your active directory is configured to be case sensitive, set the caseSensitive parameter to "true".
- When you have finished entering the JSON for the user store configuration, click Update Configuration to save your changes and restart the portal.
Configuring ArcGIS Web Adaptor to use Windows authentication
Next, configure ArcGIS Web Adaptor to use Windows authentication. For ArcGIS Web Adaptor (IIS), set the authentication method in IIS Manager.
- Start IIS Manager.
- Access the ArcGIS Web Adaptor website in the Connections panel.
Expand <your server> > Sites > Default Web Site and click on your Web Adaptor. If you used the default name, the site is named arcgis.
- Double-click Authentication in the Home panel.
- Click Anonymous Authentication and click Disable.
- Click Windows Authentication and click Enable.
- Close IIS Manager.
If you'll be adding an ArcGIS Server site to your portal and want to use web-tier authentication with the site, you'll need to disable web-tier authentication (basic or digest) and enable anonymous access on the ArcGIS Web Adaptor configured with your site before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.
Designating a Windows account as an administrator
How you add a Windows account to your portal will depend on whether your portal is configured to add accounts to the portal automatically when people sign in using an enterprise login or if accounts must be added from the ArcGIS Portal Directory. For information on this setting, see Configuring account creation.
If you manually register accounts for enterprise users
If your portal is configured so that you must add accounts using the CreateUsers tool, follow the instructions in Adding enterprise accounts to your portal to add the Windows account as your portal administrator. Be sure to choose the Administrator role when registering the enterprise account.
If accounts are automatically registered for enterprise users
If your portal is configured to register enterprise accounts automatically, open the portal website home page while logged in with the Windows account you want to use as the portal administrator. Depending on your browser and settings, you may be prompted to sign in.
When an account is first added to the portal automatically, it is assigned the User role. Only an administrator can change the role on an account; therefore, you must log in to the portal using the initial administrator account and assign a Windows account to the Administrator role. Since your Web Adaptor is set for Windows authentication, you must connect to the portal through port 7443 rather than the Web Adaptor to sign in using the initial administrator account.
- Connect to the portal while logged in to your computer with the Windows account you want to use as an administrator. If this account belongs to someone else, have that user connect to the portal so the account is registered with the portal.
- Once the Windows account has been added to the portal, open a browser and connect to your portal through port 7443, for example, https://portal.domain.com:7443/arcgis/home.
- Sign in using the initial administrator account you created when you set up Portal for ArcGIS.
- Find the Windows account you will use to administer your portal and change the role to Administrator. The account will appear in the format username@domain.
- Sign out of the website.
Now when you are logged in to your computer with this Windows account, you can connect to your portal through the Web Adaptor and administer the portal.
Demote or delete the initial administrator account
Now that you have an alternate portal administrator account, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.
Prevent users from creating their own accounts
After you've secured access to your portal, you can disable the Create an account button and sign-up page (signup.html) in the portal website so that people cannot create their own accounts. This means all members sign in to the portal with their enterprise credentials, and unnecessary member accounts cannot be created.
Follow these steps to prevent users from creating their own accounts:
- Browse to <Portal for ArcGIS installation directory>\customizations\10.2.2\webapps\arcgis#home\js\esri\arcgisonline and open config.js in a text editor.
- Locate the showSignUp property and specify the value as false.
- Save and close the file.
- To apply your edits, restart your portal.
- After the portal restarts, clear your browser's cache (including cookies) to see the changes in the portal website.