Rest Manager Login
Is there a way around using the Administrators as the users for logging into Rest Manager?
I host 7 mapping sites, of which each of the municipalites log in and manager their own sites. I do not want to make them adminstrators on the server.
In WEB ADF there was a way in the managerwebservice web.config file to create a new Manager Group instead of using Adminstrators.
(Change the key value in the Web.config of Essentials Manager Webservice <add key="WebServiceAdminRoleName" value="MyTargetGroup"/>)
I tried this for the web.config file for the REST manager, but with no luck.
Is it possible to set up the Manager user similar to the Web ADF version?
Thanks,
Cathy
-
Hi Cathy,
There is an equivalent app setting for Rest Manager in its Web.Config file. The default value is:
< add key = " AdminRoleName " value = " BUILTIN\Administrators " />
This needs to match the full group name so it should look something like:
< add key = " AdminRoleName " value = " MYMACHINENAME\MyTargetGroup " /> or
< add key = " AdminRoleName " value = "MYDOMAINNAME \MyTargetGroup " />The name needs to be an exact match so make sure the machine or domain name is in ALLCAPS and the group name case matches that of the Windows group. If you've gotten this far and it is still not working you may need to grant "Interactive Logon" permissions to your users.
--Ryan
0 -
Thanks Ryan, worked like a charm!
0 -
On Server 2008 R2
When my web.config is set to <add key="AdminRoleName" value="BUILTIN\Administrators" /> it works just fine as I am in the administrators group.
If I set to something like <add key="AdminRoleName" value="SERVERNAME\EssentialsManagerAdmin" /> I can still log in with my Admin account as it is a member of that group but non-admin users cannot log in, we get an error message in the event logs: "The user has not been granted the requested logon type at this machine"
We cannot allow non-admin users to log on locally (i.e. Interactive Logon) as suggested here, this is probably a bad policy on a Server (at least on ours).
Is there a way non-admin users can login into the REST Manager without being granted these elevated rights?
Thanks
Eric
0 -
Hi Eric.,
I have a similar setup with each municipality logging into Rest Manager.
I have set it up so they are not adminstrators, but have made a group for their users called agEssentials.My setup looks like this:
<add key="AdminRoleName" value="GISWEB\agEssentials" />
0 -
Thanks Cathy, did you have to allow the users to log on locally?
0 -
Eric,
We've switched the admin group on our installation and did not have to grant login rights to the users.The only thing to keep in mind is that ALL users can edit ALL sites, so if you are giving access to various groups (organizations) there may be some issues.
If that is the case, you can always install a second (or more) profile and separate different groups that way.Peter.
0 -
Eric,
I believe REST Manager users do need to be given "log on locally" rights, as the authentication process uses the LOGON_INTERACTIVE flag. In general, users by default have this permission unless the server is also a domain controller; though I have seen instances where the default state is for users to not have local logon privileges - this often is due to a specific security policy applied to the server.
While I'm not sure that there's a specific workaround for Essentials currently to allow users w/o interactive logon permissions to access REST Manager, I'll see what the implications are for using an alternate logon type that does not require users to have this security setting. If possible to use an alternate logon type, it would not be until a later Essentials release that this becomes possible.
For the time being, if you have a development Essentials server which does not have the tighter security restrictions, you can use that for REST Manager work, then migrate the Site.xml (and associated files) from development up to the production environment. If you do have an environment where this is feasible, it can be positive also for management purposes to not use REST Manager directly on the final production computer (fewer site synchronization issues across environments).
John
0 -
Thanks for you answers Cathy, Peter and John.
It looks like we will need to have some of the developers work on their local workstations as even our Development servers are locked down by default.
If I asked for non-admin users to have interactive login rights on the servers our security folks will have a stroke!
This may be a problem for others users in the U.S. Federal Government if they follow more stringent security guidelines as we do. It would be great if there was a solution so we would not have to support desktop installs.
Thanks,
Eric
0 -
Eric,
Just to be clear, your Essentials Manager users do NOT have to be given rights to actually log onto the server via Terminal Services (RDP).
They only need to have the "Allow log on locally" policy. This is allowed by default because "Authenticated Users" is already in the list.In order to actually log onto the server (assuming they don't have direct access to the physical console), they would need to be added to the "Allow log on through Remote Desktop Services" policy. We created a new local group, put all the domain accounts of our developers in it then updated the web.config to use the new group. This is working fine for us so far. Only two of us have RDP access to the server - the rest can only log onto the Essentials Manager.
Peter.
0 -
That's a good point Peter, thanks for the clarification.
John
0 -
Peter,
On our 2008 R2 servers only Administrators are in the "Allow log on locally" group policy. We do have a few exceptions for things like our enterprise scheduling system but I will need to get an exception for these users.
We had our 2003 servers set up as you describe and we will see if they will approve of this approach on our 2008 servers.
Thanks for your help!
Eric
0
Du måste logga in om du vill lämna en kommentar.
Kommentarer
11 kommentarer