Using PKI to secure access to your portal

You can use a public key infrastructure (PKI) to secure access to your portal.

The following sections explain setting up Portal for ArcGIS and the ArcGIS Web Adaptor (IIS) to use a PKI. If you need assistance configuring other web servers to use PKI with ArcGIS Web Adaptor (IIS), contact Esri Professional Services.

These steps assume you have already installed ArcGIS Web Adaptor (IIS) and Portal for ArcGIS and registered your portal with the Web Adaptor.

Configuring Portal for ArcGIS to use Windows Active Directory users

First, configure your portal to use SSL exclusively. This is set on the Security page in the portal website.

Steps:
  1. Sign in to the portal website as the portal administrator.
  2. Click Edit Settings on the My Organization page.
  3. Click Security.
  4. Check Allow access to the portal through SSL only.
  5. Click Save to apply your changes.

Next, edit the portal-config.properties file to use Windows Active Directory accounts.

Steps:
  1. Open the portal-config.properties file in a text editor. Open the text editor with the Run As Administrator option.

    The file is in the Portal for ArcGIS installation directory. By default, the directory is C:\Program Files\ArcGIS\Portal\etc.

  2. Uncomment the following lines found under the Windows example in the IDP section of the file by removing the pound signs (#) at the beginning of each line:

    # idp.type=WINDOWS
# idp.ad.user=mydomain\\someuser
# idp.ad.userpassword=secret
# idp.ad.user.fullnameattribute=cn
# idp.ad.user.emailattribute=mail
# idp.userpassword.encrypted=false

  3. Alter the IDP settings to use Windows Active Directory.
    1. Set idp.type to WINDOWS.
    2. Set the idp.ad.user to the Windows Active Directory account login that has read access to the domain.
      NoteNote:

      If the account name or password contains dot (.), comma (,), or backslash (\) characters, you must place a backslash in front of each character. The backslash serves as an escape character.

    3. Set the idp.ad.userpassword to the password for the Windows Active Directory account password.
    4. Do not modify the idp.type or idp.userpassword.encrypted properties.
    5. Set the idp.ad.user.fullnameattribute to the Active Directory attribute that contains people's real name, such as Jane Doe. This value is used to correctly populate people's full names in their Portal for ArcGIS profiles. This must be provided by your administrator.
    6. Set the idp.ad.user.emailattribute to the Active Directory attribute that contains people's email addresses. This is used in people's profiles. This differs from organization to organization; therefore, this must be provided by your Active Directory administrator. If this is not provided, Portal accounts will still work, but personal profiles will not contain email addresses.
    7. Do not modify the idp.type or idp.userpassword.encrypted properties.

    The properties will look similar to the following after you make your changes:

    idp.type=WINDOWS
idp.ad.user=mydomain\\readaccount
idp.ad.userpassword=Abcd1234
idp.ad.user.fullnameattribute=cn
idp.ad.user.emailattribute=mail
idp.userpassword.encrypted=false

    4. When the Portal for ArcGIS service is restarted, the value for the idp.ad.userpassword property will be encrypted, and the idp.userpassword.encrypted property will change from false to true.
  4. Save and close the portal-config.properties file.
  5. Restart the Portal for ArcGIS service.

    You can do this from the Windows Services interface or a command prompt. For more information, see Stopping and starting the portal.

Enable Active Directory Client Certificate Mapping Authentication on the Web Adaptor

You must enable client certificate mapping authentication in IIS. For instructions, see Client Certificate Mapping Authentication on the IIS website.

Configure the Web Adaptor to require SSL

Alter authentication and SSL settings for your Web Adaptor.

Steps:
  1. Start Internet Information Services (IIS) Manager.
  2. Expand the Connections nodes and select your Web Adaptor site.
  3. Double-click Authentication in the Features View window.
  4. Disable all forms of authentication.
  5. Select your Web Adaptor from the Connections list again.
  6. Double-click SSL Settings.
  7. Choose the option to Require SSL.

Designate an Active Directory account as an administrator

To add your Active Directory account to the portal, open the Portal for ArcGIS home page while logged in with that account. Depending on your browser and settings, you may be prompted to sign in, or you will be signed in automatically.

When an account is first added to the portal, it is assigned the User role. Only an administrator can change the role on an account; therefore, you must log in to the portal using the initial administrator account and assign an Active Directory account to the Administrator role. You must connect to the portal through port 7443 rather than the Web Adaptor to sign in using the initial administrator account.

Steps:
  1. Open a browser and connect to your portal through port 7443, for example, https://portal.domain.com:7443/arcgis/home.
  2. Sign in using the initial administrator account you created when you set up Portal for ArcGIS.
  3. Change the role to Administrator for the Active Directory account you will use to administer your portal.
  4. Sign out of the website.

Now when you are logged in to your computer with this Windows account, you can connect to your portal through the Web Adaptor and administer the portal.

Now that you have an alternate administrator, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

NoteNote:

If you'll be adding an ArcGIS Server site to your portal and want to use PKI with the server, you'll need to disable web-tier authentication, such as Integrated Windows Authentication (IWA), on your ArcGIS Server site and enable anonymous access before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles. If your ArcGIS Server site is not already using web-tier authentication, no action is required on your part. For instructions on how to add a server to your portal, see Federating an ArcGIS Server site with your portal.

Disable users from creating their own accounts

After you've secured access to your portal, configure your portal so that users are prevented from creating their own accounts. This allows you to force users to sign in with their enterprise credentials and prevents unnecessary members from being created. The way you do this is by modifying a property in the config.js.bak file which disables the Create an account button and sign-up page (signup.html) in the portal website:

Steps:
  1. Browse to <Portal for ArcGIS installation directory>\webapps\arcgis#home\js\esri\arcgisonline and open config.js.bak in a text editor.
  2. Locate the showSignUp property and specify the value as false.
  3. Save and close the file.
  4. To apply your edits, restart your portal.
  5. After the portal restarts, clear your browser's cache to see the changes in the portal website.
Copyright © 1995-2013 Esri. All rights reserved.
12/13/2013