Using Integrated Windows Authentication with your portal

You can secure access to your portal using Integrated Windows Authentication (IWA). When you use IWA, logins are managed through Microsoft Windows Active Directory. Users do not sign in and out of the portal website; instead, when they open the website they are signed in using the same accounts they use to log in to Windows.

There are three principal steps to configuring IWA with your portal:

  1. Configure Portal for ArcGIS to use Windows Active Directory users
  2. Configure the ArcGIS Web Adaptor to use Windows authentication
  3. Designate a Windows account as an administrator

Configuring Portal for ArcGIS to use Windows Active Directory users

First, configure your portal to use SSL exclusively. This is set on the Security page in the portal website.

Steps:
  1. Sign in to the portal website as the portal administrator.
  2. Click Edit Settings on the My Organization page.
  3. Click Security.
  4. Check Allow access to the portal through SSL only.
  5. Click Save to apply your changes.

Next, edit the portal-config.properties file to use Windows Active Directory accounts.

Steps:
  1. Open the portal-config.properties file in a text editor. Open the text editor with the Run As Administrator option.

    The file is in the Portal for ArcGIS installation directory. By default, the directory is c:\Program Files\ArcGIS\Portal\etc.

  2. Uncomment the following lines found under the Windows example in the IDP section of the file by removing the pound signs (#) at the beginning of each line:

    # idp.type=WINDOWS
# idp.ad.user=mydomain\\someuser
# idp.ad.userpassword=secret
# idp.ad.user.fullnameattribute=cn
# idp.ad.user.emailattribute=mail
# idp.userpassword.encrypted=false

  3. Alter the IDP settings to use Windows Active Directory.
    1. Keep the idp.type set to WINDOWS.
    2. Set the idp.ad.user to the Windows Active Directory account login that has read access to the domain.
      NoteNote:

      If the account name or password contains dot (.), comma (,), or backslash (\) characters, you must place a backslash in front of each character. The backslash serves as an escape character.

    3. Set the idp.ad.userpassword to the password for the Windows Active Directory account password.
    4. Set the idp.ad.user.fullnameattribute to the Active Directory attribute that contains people's real name, such as Jane Doe. This value is used to correctly populate people's full names in their Portal for ArcGIS profiles. This must be provided by your administrator.
    5. Set the idp.ad.user.emailattribute to the Active Directory attribute that contains people's email addresses. This is used in people's profiles. This differs from organization to organization; therefore, this must be provided by your Active Directory administrator. If this is not provided, Portal accounts will still work, but personal profiles will not contain email addresses.
    6. Verify that the idp.userpassword.encrypted property is set to false.

    The properties will look similar to the following after you make your changes:

    idp.type=WINDOWS
idp.ad.user=mydomain\\readaccount
idp.ad.userpassword=Abcd1234
idp.ad.user.fullnameattribute=cn
idp.ad.user.emailattribute=mail
idp.userpassword.encrypted=false

    4. When the Portal for ArcGIS service is restarted, the value for the idp.ad.userpassword property will be encrypted, and the idp.userpassword.encrypted property will change from false to true.
  4. Save and close the portal-config.properties file.
  5. Restart the Portal for ArcGIS service.

    You can do this from the Windows Services interface or a command prompt. For more information, see Stopping and starting the portal.

Configuring the ArcGIS Web Adaptor to use Windows authentication

Next, configure ArcGIS Web Adaptor to use Windows authentication. For ArcGIS Web Adaptor (IIS), set the authentication method and SSL settings in IIS Manager.

CautionCaution:

If you are currently sharing the Web Adaptor with ArcGIS Server, you must configure a separate Web Adaptor for ArcGIS Server. You cannot share the Web Adaptor with ArcGIS Server if you are going to use IWA.

Steps:
  1. Start IIS Manager.
  2. Access the ArcGIS Web Adaptor website in the Connections panel.

    Expand <your server> > Sites > Default Web Site and click on your Web Adaptor. If you used the default name, the site is named arcgis.

  3. Double-click Authentication in the Home panel.
  4. Click Anonymous Authentication and click Disable.
  5. Click Windows Authentication and click Enable.
  6. Close IIS Manager.

Designating a Windows account as an administrator

To add your Windows account to the portal, open the Portal for ArcGIS home page. Depending on your browser and settings, you may be prompted to sign in using your Windows user name and password, or you will be signed in automatically.

When an account is first added to the portal, it is assigned the User role. Only an administrator can change the role on an account; therefore, you must log in to the portal using the initial administrator account and assign a Windows account to the Administrator role. Since your Web Adaptor is set for Windows authentication, you must connect to the portal through port 7443 rather than the Web Adaptor to sign in using the initial administrator account.

Steps:
  1. Open a browser and connect to your portal through port 7443, for example, https://portal.domain.com:7443/arcgis/home.
  2. Sign in using the initial administrator account you created when you set up Portal for ArcGIS.
  3. Find the Windows account you will use to administer your portal and change the role to Administrator. The account will appear in the format username@domain.
  4. Sign out of the website.

Now when you are logged in to your computer with this Windows account, you can connect to your portal through the Web Adaptor and administer the portal.

Now that you have an alternate administrator, you can assign the initial administrator account to the User role or delete the account. See About the initial administrator account for more information.

NoteNote:

If you'll be adding an ArcGIS Server site to your portal and want to use IWA with the server, you'll need to disable IWA on your ArcGIS Server site and enable anonymous access before adding it to the portal. Although it may sound counterintuitive, this is necessary so that your site is free to federate with the portal and read the portal's users and roles from IWA. If your ArcGIS Server site is not already using IWA, no action is required on your part.

For steps on how to disable IWA on your ArcGIS Server site, see Setting up your portal and federated server to use Windows accounts. For full instructions on how to add an ArcGIS Server site to your portal, see Federating an ArcGIS Server site with your portal.

Disable users from creating their own accounts

After you've secured access to your portal, configure your portal so that users are prevented from creating their own accounts. This allows you to force users to sign in with their enterprise credentials and prevents unnecessary members from being created. The way you do this is by modifying a property in the config.js.bak file which disables the Create an account button and sign-up page (signup.html) in the portal website:

Steps:
  1. Browse to <Portal for ArcGIS installation directory>\webapps\arcgis#home\js\esri\arcgisonline and open config.js.bak in a text editor.
  2. Locate the showSignUp property and specify the value as false.
  3. Save and close the file.
  4. To apply your edits, restart your portal.
  5. After the portal restarts, clear your browser's cache to see the changes in the portal website.
Copyright © 1995-2013 Esri. All rights reserved.
12/13/2013