Skip to main content

Server 10.1, Active Directory & Essentials

Permanently deleted user

Need some feedback on how to configure security so i don't kill access from Essentials back to my web map services.

My setup consists of 2 ArcGIS servers using 10.1, and a VM with the web adapter and Essentials installed. I figured out Essentials needs Anonymous authentication enabled on the web adapter server to be able to access map services, and that will still allow me to publish without issue. I think i have also successfully tested assigning Active Directory security to a service since i was unable to see that service from the silverlight app builder (my domain account was not in the group i gave access to the service). I'm still not sure what role the cross domain policy plays in all of this, nevertheless i've placed that xml file in the wwwroot folder on my web adapter server.

If this all sounds completely normal, then i guess i got lucky. If not, please let me know where i can improve.

One other question remains though: It's easy to use built in roles on the server to control access to Admin level areas of ArcGIS Server Manager, but if you're utilizing Active Directory how can you limit what users can access?

0

Comments

3 comments

Date Votes
  • Permanently deleted user

    Forgot to add a few details (screenshot attached)

    1. Authentication Tier is set to ArcGIS Server. Seem like everything i read said this need to be set to web server if you are using the web adapter.

    2. Authentication mode is set to ArcGIS Tokens.

     

     /customer/servlet/servlet.FileDownload?file=00P6000000e88LMEAY
    0
  • Permanently deleted user

    This setup is tested and confirmed to work well:

    User Store: Windows Domain

    Role Store: Windows Domain

    Authentication Tier: GIS Server

    Authentication Mode: ArcGIS Tokens

    This is following the instructions given here: http://resources.arcgis.com/en/help/main/10.1/index.html#/Securing_services_with_users_and_roles_from_an_LDAP_server/01540000050w000000/

    This setup allows token based security to work with Windows users and roles, and no modifications are required to how Essentials works to enable it. Administrative connections _should_ be able to be made through the Web Adaptor -or- through port 6080, although talking directly to ArcGIS Server (if possible) has proven to be a bit more reliable at present time. 

    A potentially large drawback though is the fact that Essentials will now store whatever Windows user and password was used to connect initially, and subsequent requests from Essentials to ArcGIS Server will impersonate that user to connect, and not the user in front of the computer. Basically this is the same as how token based security worked in 10.0, except you now have the option of using it with real Windows users.

    This is probably what you are actually setting up here: http://resources.arcgis.com/en/help/main/10.1/index.html#/Securing_web_services_with_Integrated_Windows_Authentication/015400000517000000/

    This method requires you to set authentication to 'Web Tier', which simply means that responsibility for authenticating users has now been passed off to the web adaptor in IIS. This allows you to use existing Windows users as ArcGIS administrators, and requires you to make all administrative connections through the web adaptor. In fact all traffic must now pass through the web adaptor, as ArcGIS Server will now refuse to serve anything to an unauthenticated user, and the web adaptor is handling all authentication.

    This causes problems with an out-of-the-box install of Essentials, as by default Essentials runs in IIS under the identities of some local users that cannot be added to the list of allowed domain users. To fix this, you'll have to make sure that both the REST and Manager applications are running in application pools as actual domain users that can then be given access to ArcGIS Server via the web adaptor.

    The built in identity of NETWORKSERVICE can still used for this, although Microsoft now recommends against the use of this identity, and in IIS 7 or later it is fairly easy to use domain users created for this specific purpose. Nothing need be done to enable the new users to run an app pool, as this will happen automatically. They _will_ need to be given filesystem permissions on the local Essentials server as per this article:

    https://support.geocortex.com/file-permissions-for-geocortex-essentials-rest-elements

    The biggest benefit of doing the work to set this up is that you will be able to have 'true' single sign on for your mapping services, and not have to 'fake' the last step to ArcGIS Server by using hardcoded credentials.

    Hope this helps.

     

     

    0
  • Permanently deleted user

    This is a fantastic thread with some great information.  

    We have configured out ArcGIS Server security settings in a hybrid fashion... using Windows Domain for the users, but the built-in for the role store.  We've run into a lot of performance problems when using the Windows Domain for the role store, especially for those users who were in a lot of groups or nested groups.  Authentication is set to GIS Server with ArcGIS Tokens

     

    Can GeoCortex be setup to use the ArcGIS Server built-in user or role providers (rather than setup another role provider that would have to be dual managed)?  Could it be setup to use the hybrid model I've outlined above?

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post